Description
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.
Published: 2026-01-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Assess Impact
AI Analysis

Impact

The Customer Reviews for WooCommerce plugin allows attackers with at least subscriber‑level access, or occasionally unauthenticated users when guest checkout is turned on, to inject arbitrary JavaScript using the displayName parameter. The developer fails to sanitize this input or escape it when rendering, so the payload is stored and executed every time any user loads the affected form page. The flaw is a classic Stored XSS (CWE‑79) and can lead to session hijacking, defacement, or phishing of other site visitors.

Affected Systems

The vulnerability exists in all Customer Reviews for WooCommerce releases up to and including version 5.93.1. Sites that use this WordPress plugin—any WordPress installation where the plugin is active—are in scope. No other vendors or products are listed.

Risk and Exploitability

The listed CVSS score of 6.4 indicates moderate severity, and an EPSS figure of less than 1 % suggests low observed exploit activity so far. Because the flaw requires form data to be stored, an attacker must place a form submission to acquire a valid form ID; this limits the immediate reach but still poses a risk, especially when guest checkout facilitates order creation by unauthenticated users. The vulnerability is not in CISA KEV, and no official fix is referenced in the provided CNA data, but the change set link implies an upstream fix exists in a newer release. Attackers can exploit this via the AJAX endpoint or by direct form submission, as inferred from the code references.

Generated by OpenCVE AI on April 22, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Customer Reviews for WooCommerce plugin to the latest available version, which includes proper sanitization and escaping for the displayName field.
  • Immediately disable the plugin on environments where review functionality is not required until an update can be applied, or restrict review posting to a role higher than subscriber if quick deployment is not possible.
  • If an immediate update is not feasible, enforce client‑side filtering of the displayName field to remove script tags, and validate the input on the server side to reject any characters that could lead to malicious execution.
  • Turn off guest checkout if the site allows it, to remove the non‑authenticated exploitation pathway flagged in the description.
  • Deploy a web application firewall rule that blocks common XSS payloads targeting the displayName endpoint, and monitor requests for anomalous script injection attempts.

Generated by OpenCVE AI on April 22, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivole
Ivole customer Reviews For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Ivole
Ivole customer Reviews For Woocommerce
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.
Title Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ivole Customer Reviews For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:20.992Z

Reserved: 2025-12-18T15:35:27.343Z

Link: CVE-2025-14891

cve-icon Vulnrichment

Updated: 2026-01-07T14:53:24.484Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:57.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses