CVE-2025-57997
Description
Missing Authorization vulnerability in Trustpilot Trustpilot Reviews trustpilot-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trustpilot Reviews: from n/a through <= 2.5.925.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Trustpilot Reviews WordPress plugin <=2.5.925 has a missing authorization vulnerability allowing unauthenticated access to restricted functions, potentially exploited in mass campaigns.
Vulnerability
Overview The Trustpilot Reviews plugin for WordPress versions up to and including 2.5.925 suffers from a missing authorization vulnerability [1]. This broken access control issue means that certain functions or endpoints do not properly verify user permissions, allowing unprivileged users to perform actions that should require higher privileges.
Exploitation
An attacker can exploit this vulnerability without authentication, as the missing authorization check does not require a valid nonce or capability verification [1]. This makes it possible for unauthenticated visitors to trigger privileged actions, such as modifying plugin settings or accessing sensitive data. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].
Impact and
Mitigation Successful exploitation could lead to unauthorized changes to the plugin's configuration or data exposure, depending on the specific missing authorization. The CVSS score of 4.3 indicates a medium severity. The vendor has released version 3.6.0 which patches the issue; users are strongly advised to update immediately [1]. If updating is not possible, consulting a hosting provider or web developer is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.5.925
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.