CVE-2025-10679 (CVSS 7.3) allows unauthenticated attackers to invoke arbitrary PHP class methods via the ReviewX WooCommerce plugin’s bulkTenReviews function in all versions through 2.2.12, with worst-case impact of remote code execution depending on the PHP methods accessible in the target environment. No confirmed patched version was identified in available source data; organizations should disable the plugin on all WooCommerce instances until a fix is confirmed available and applied. Monitor WordPress AJAX endpoints for anomalous unauthenticated POST requests and conduct file integrity checks on any instance where exploitation cannot be ruled out.