CVE-2023-3254

Name of the Vulnerable Software and Affected Versions Widgets for Google Reviews plugin for WordPress versions up to, and including, 10.9

Description The issue is due to missing or incorrect nonce validation within setup no reg header.php, making it possible for unauthenticated attackers to reset plugin settings and remove reviews via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action, such as clicking on a link.

Recommendations For versions up to, and including, 10.9, consider disabling the setup no reg header.php file or restricting access to it until a patch is available. As a temporary workaround, restrict the ability of site administrators to perform actions that could be triggered by a forged request.