CVE-2025-53573

Vulnerability

Overview

The Epic Review plugin for WordPress versions up to and including 1.0.2 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into the response, which is then executed in the context of the victim's browser session.

Exploitation

Details

Exploitation requires user interaction — a privileged user must click a crafted link, visit a malicious page, or submit a specially prepared form [1]. The attack does not require authentication on the part of the attacker, but the victim must be logged into the WordPress site. The reflected nature means the payload is delivered via a URL or form submission, making it suitable for mass phishing or watering-hole campaigns.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads [1]. The vulnerability description, 1]. The CVSS v3 base score of 7.1 (High) reflects the moderate complexity but significant potential for harm, especially given the plugin's widespread use.

Mitigation

The vendor has released version 1.0.3 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update-impaired, Patchstack provides a virtual mitigation rule to block attacks until the plugin can be patched [1]. No workarounds beyond updating or applying a WAF rule are documented.