CVE-2025-54730

The Embedder for Google Reviews plugin for WordPress versions up to and including 1.7.3 suffers from a missing authorization vulnerability. This broken access control issue means that certain functions within the plugin do not properly enforce ACLs, allowing users to access functionality that should require higher privileges [1].

Attackers can exploit this vulnerability without needing any authentication, as the plugin fails to check nonce tokens or user capabilities before executing privileged actions. This makes it possible for unauthenticated visitors to trigger administrative functions, potentially affecting thousands of sites running the vulnerable plugin [1].

The impact is considered low severity (CVSS 5.3) but the vulnerability is known to be used in mass-exploit campaigns targeting WordPress sites regardless of size. An attacker could leverage this to perform unauthorized actions, though the exact scope of accessible functionality is limited by the plugin's design [1].

The vulnerability has been patched in version 1.7.4. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].