CVE-2025-1232: 
WordPress vulnerability analysis and mitigation

The Site Reviews WordPress plugin before version 7.2.5 contains a stored Cross-Site Scripting (XSS) vulnerability. The issue was discovered by Dmitrii Ignatyev and publicly disclosed on February 26, 2025. The vulnerability stems from improper sanitization and escaping of Review fields, potentially allowing unauthenticated users to perform stored XSS attacks (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The vulnerability can be exploited through the 'Review Form' block where malicious scripts can be injected into the 'Your review' field (WPScan).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, potentially leading to cookie theft, session hijacking, and other client-side attacks. The impact is particularly severe as it affects both regular users viewing pages with the 'Latest Reviews' block and administrators editing such pages (WPScan).

The vulnerability has been patched in version 7.2.5 of the Site Reviews WordPress plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).