PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12154 widgetpack CVE debrief

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr().

Vendor
widgetpack
Product
Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Authenticated attackers with contributor-level access and above may be able to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This could potentially lead to unauthorized modifications to the website, theft of sensitive information, or disruption of service. Affected operators should prioritize patching to prevent exploitation.

Technical summary

The vulnerability exists in the Feed_Shortcode::fbrev() method of the Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress. The method fails to properly sanitize and escape user input from the 'page_id' shortcode attribute, allowing for Stored Cross-Site Scripting (XSS) attacks. The CVSS score for this vulnerability is 6.4, indicating a Medium severity level. This issue arises because the raw shortcode attribute is passed through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr().

Defensive priority

Medium priority due to CVSS score of 6.4 and potential for authenticated attackers to inject malicious scripts.

Recommended defensive actions

  • Apply the latest patch (version 2.7.4 or later) to the Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress.
  • Restrict access to the plugin's shortcode functionality to prevent authenticated attackers from injecting malicious scripts.
  • Monitor for suspicious activity and implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent potential attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-06T18:16:36.670Z and was last modified on 2026-07-07T15:16:42.180Z. The NVD entry is currently Deferred. Evidence is limited to the CVE and NVD entries, which provide basic details about the vulnerability but do not offer extensive technical analysis or exploit information. Defenders should verify the existence of affected deployments and review official advisories for further guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T18:16:36.670Z and has not been modified since then. The NVD entry is currently Deferred.