CVE-2025-14452
Reflected XSS in WP Customer Reviews Plugin Allows Script Injection
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_customer_reviews | wp_customer_reviews | to 3.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The WP Customer Reviews plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in the 'wpcr3_fname' parameter in all versions up to and including 3.7.5. This vulnerability arises because the plugin does not sufficiently sanitize or escape input, allowing unauthenticated attackers to inject malicious scripts. If a user is tricked into clicking a crafted link containing such a script, the script executes in their browser."}, {'type': 'paragraph', 'content': "The vulnerability is addressed in plugin versions 3.7.5 and 3.7.6 by improving input sanitization and output escaping. Specifically, the plugin's 'make_p_obj()' function was enhanced to detect and neutralize potential XSS attack vectors by checking all GET and POST inputs using an 'isXssAttempt()' method and replacing malicious inputs with empty strings."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of a user's browser when they visit a maliciously crafted link. This can lead to theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.
Because the vulnerability is exploitable without authentication and requires only that a user clicks a crafted link, it poses a significant risk to site visitors and administrators alike.
The CVSS v3.1 base score of 7.2 reflects a high severity, indicating that the vulnerability has a high impact on confidentiality and integrity but does not affect availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability is a reflected Cross-Site Scripting (XSS) issue via the 'wpcr3_fname' parameter in the WP Customer Reviews plugin. Detection involves identifying attempts to inject malicious scripts through this parameter in HTTP GET or POST requests."}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts on your network or system, you can monitor web server logs or use web application firewall (WAF) rules to look for suspicious payloads in requests targeting the 'wpcr3_fname' parameter."}, {'type': 'list_item', 'content': "Use command-line tools like grep or awk to search web server access logs for suspicious script tags or encoded payloads in the 'wpcr3_fname' parameter, for example:"}, {'type': 'list_item', 'content': "grep -i 'wpcr3_fname=.*<script' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'wpcr3_fname=.*%3Cscript' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the parameter manually by sending crafted requests containing script tags and observing if the response reflects the input unsanitized.'}, {'type': 'list_item', 'content': 'Example curl command to test for reflected XSS:'}, {'type': 'list_item', 'content': "curl -G 'http://yourwordpresssite.com/path' --data-urlencode 'wpcr3_fname=<script>alert(1)</script>'"}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper sanitization or escaping, the vulnerability is present.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to update the WP Customer Reviews plugin to version 3.7.6 or later, as these versions include comprehensive input sanitization and security hardening to prevent the reflected XSS vulnerability.'}, {'type': 'paragraph', 'content': 'The updates implement functions that detect and neutralize XSS attack vectors in all GET and POST parameters, replacing malicious input with empty strings and sanitizing data before processing.'}, {'type': 'paragraph', 'content': "If updating immediately is not possible, consider applying web application firewall (WAF) rules or input filtering to block or sanitize requests containing suspicious scripts in the 'wpcr3_fname' parameter."}, {'type': 'paragraph', 'content': 'Additionally, educate users to avoid clicking on suspicious links that might exploit this vulnerability.'}] [1, 2]