CVE-2025-7327: 
WordPress vulnerability analysis and mitigation

The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in versions up to and including 1.0.15. The vulnerability exists in the layout parameter and was discovered in July 2025. This security issue affects all installations of the Widget for Google Reviews WordPress plugin prior to version 1.0.16 (NVD, CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary PHP files on the server through directory traversal via the layout parameter. The issue has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD).

Successful exploitation of this vulnerability can allow attackers to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. The scope is limited to PHP files only. Given the CVSS score of 8.8, this represents a significant security risk with potential for full system compromise (NVD).

The vulnerability has been patched in version 1.0.16. Site administrators are strongly advised to update to this version immediately. The patch implements proper input sanitization and data validation for improved security and stability (WordPress Plugin).