CVE-2025-1707: 
WordPress vulnerability analysis and mitigation

The Review Schema plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-1707) affecting all versions up to and including 2.2.4. The vulnerability was discovered and disclosed on March 11, 2025. This security issue affects the plugin's file handling functionality and allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server (NVD).

The vulnerability exists in the plugin's template loading functionality, specifically in the ReviewSchema.php file. The issue stems from improper sanitization of file paths in the gettemplatepart function. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk that requires low attack complexity (NVD).

The vulnerability allows authenticated attackers to include and execute arbitrary files on the server, potentially leading to unauthorized access to sensitive data, bypass of access controls, and code execution if PHP files can be uploaded and included. This poses a significant risk to WordPress installations using the affected plugin versions (NVD).

A security fix has been released in version 2.2.5 of the Review Schema plugin. Users are strongly advised to update to this latest version immediately. The update includes enhanced security measures to prevent file inclusion vulnerabilities (WordPress Plugin).