CVE-2025-14891
Stored XSS in WooCommerce Customer Reviews Plugin Allows Script Injection
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | customer_reviews_for_woocommerce | to 5.93.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to exploit the 'displayName' parameter in the Customer Reviews for WooCommerce plugin. Since exploitation requires submitting crafted AJAX requests with a valid form ID, monitoring HTTP POST requests to AJAX endpoints related to 'cr_local_forms_submit' and inspecting the 'displayName' parameter for suspicious script content can help detect attacks. Commands to detect such activity could include using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic, or using grep on web server logs to find suspicious payloads. For example, on a Linux server, you could run: 1) grep -i 'displayName' /path/to/access.log | grep -E '<script|javascript:' 2) tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'displayName' 3) Use WP-CLI or custom scripts to audit database entries for injected scripts in review display names. However, no specific commands are provided in the resources.
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Customer Reviews for WooCommerce plugin for WordPress. It occurs due to insufficient input sanitization and output escaping of the 'displayName' parameter in versions up to 5.93.1. Authenticated attackers with customer-level access or higher can inject malicious scripts that execute when other users view the affected pages. Unauthenticated attackers can exploit it only if guest checkout is enabled and they can obtain a valid form ID by placing an order.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary web scripts in the context of the affected site, potentially leading to theft of user data, session hijacking, or other malicious actions. Since the attack can be performed by authenticated users or unauthenticated users under certain conditions, it poses a risk to the integrity and security of the website and its users.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Customer Reviews for WooCommerce plugin to version 5.94.0 or later, as indicated by the changeset 3424980 which presumably addresses this vulnerability. Additionally, if guest checkout is enabled, consider disabling it temporarily to reduce the risk of unauthenticated exploitation. Monitoring and restricting access to AJAX endpoints related to review submissions can also help. Applying input sanitization and output escaping patches from the plugin update will prevent stored cross-site scripting via the 'displayName' parameter. [1]