Description
The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Customer Reviews Collector for WooCommerce plugin contains a reflected cross‑site scripting flaw caused by insufficient sanitization of the "email‑text" parameter. An attacker can inject arbitrary JavaScript that is reflected back in the page when a user follows a crafted link or submits a form, allowing the malicious script to execute in the victim’s browser.

Affected Systems

The flaw affects all installations of the trustindex Customer Reviews Collector for WooCommerce plugin on WordPress up to and including version 4.6.1. Any site running a vulnerable version and exposing the "email‑text" parameter may be impacted.

Risk and Exploitability

The severity is indicated by a CVSS score of 6.1, suggesting a moderate risk. The EPSS score of less than 1% indicates a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to lure a user to the vulnerable page via a malicious link or form that includes the unescaped "email‑text" value, with no privileged access required.

Generated by OpenCVE AI on April 22, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Customer Reviews Collector for WooCommerce plugin to a version that fixes the XSS flaw (v4.6.2 or later).
  • If an immediate upgrade is not possible, disable or restrict the public exposure of the "email‑text" parameter, for example by turning off email notifications that use it or modifying the plugin settings to block the parameter.
  • Monitor for potential malicious links or suspicious user activities on sites using the vulnerable plugin.

Generated by OpenCVE AI on April 22, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Trustindex
Trustindex customer Reviews Collector For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Trustindex
Trustindex customer Reviews Collector For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Customer Reviews Collector for WooCommerce <= 4.6.1 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Trustindex Customer Reviews Collector For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:38.394Z

Reserved: 2025-10-23T18:21:05.224Z

Link: CVE-2025-12123

cve-icon Vulnrichment

Updated: 2025-11-28T16:19:48.250Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T06:15:45.360

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses