Description
Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated users can inject malicious scripts into the WordPress Customer Reviews for WooCommerce plugin, allowing them to execute code in the context of site visitors. This type of vulnerability, identified as CWE-79, can lead to session hijacking, defacement, or the delivery of malware to users. The impact is containment of the plugin’s output handling, enabling arbitrary script execution on affected sites.

Affected Systems

The vulnerability affects the CusRev:Customer Reviews for WooCommerce plugin, versions 5.110.1 or earlier. The plugin is commonly deployed on WordPress sites that use WooCommerce to display customer feedback. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, but the EPSS score is not available, so the current likelihood of exploitation is uncertain. The issue is not listed in CISA’s KEV catalog. Because the flaw is unauthenticated, anyone can trigger it by crafting a payload that is stored in a review or other user-generated content field and then view the page that displays that content. Once the malicious script runs, it can perform actions in the victim’s browser session.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Remediation

Vendor Solution

Update the WordPress Customer Reviews for WooCommerce Plugin to the latest available version (at least 5.111.0).

OpenCVE Recommended Actions

  • Update the Customer Reviews for WooCommerce plugin to version 5.111.0 or later to resolve the XSS flaw.
  • If an immediate update is not possible, temporarily disable the plugin or remove it from the site to prevent exploitation until the patch can be applied.
  • Audit existing reviews and other writable content for injected scripts and cleanse them or republish pages to ensure that any stored malicious payloads are removed before re-enabling the plugin.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Cusrev
Cusrev customer Reviews For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Cusrev
Cusrev customer Reviews For Woocommerce
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions.
Title WordPress Customer Reviews for WooCommerce plugin <= 5.110.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Cusrev Customer Reviews For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:18:06.738Z

Reserved: 2026-06-18T14:37:51.350Z

Link: CVE-2026-56043

cve-icon Vulnrichment

Updated: 2026-06-26T20:18:00.606Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')