CVE-2026-28132
Received Received - Intake
Cross-Site Scripting in WooCommerce Photo Reviews

Publication date: 2026-02-26

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28132
EUVD
EUVD-2026-8845
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
villatheme woocommerce_photo_reviews to 1.4.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28132 is a Content Injection vulnerability found in the WordPress WooCommerce Photo Reviews Plugin versions up to and including 1.4.4.

This vulnerability allows unauthenticated attackers to inject arbitrary content into website pages and posts by exploiting improper neutralization of script-related HTML tags, which is a form of basic Cross-Site Scripting (XSS).

Such injection could potentially enable attackers to insert phishing pages or malicious content into affected websites.

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability can allow attackers to inject malicious content into your website's pages or posts without authentication."}, {'type': 'paragraph', 'content': "This could lead to the insertion of phishing pages or other harmful content, potentially damaging your website's reputation and trustworthiness."}, {'type': 'paragraph', 'content': 'However, the severity is considered low (CVSS score 5.3), and exploitation is regarded as unlikely.'}, {'type': 'paragraph', 'content': 'Currently, no official patch or mitigation is available, so affected users should be cautious and monitor their sites.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

There is no official patch currently available for this vulnerability in the WooCommerce Photo Reviews plugin up to version 1.4.4.

Since exploitation is considered unlikely due to the low severity, immediate mitigation steps are limited.

It is recommended to monitor for updates from the plugin developer and Patchstack for any forthcoming patches or mitigation advice.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart