Operator note

WooCommerce Review Plugin Patched - Are 80k Stores Still Exposed?

A silent XSS bug in Customer Reviews for WooCommerce let anyone inject code on 80k sites. See if your store is safe and how to fix it.

Author: Andrii Daniv1 min readJul 31, 2025
Minimalist tech illustration showing worried merchant holding magnifying glass inspecting WooCommerce review plugin with review widget code and alert exclamation mark highlighting hidden XSS risk in shop review system

Wordfence has disclosed a high-severity stored cross-site scripting (XSS) vulnerability in Customer Reviews for WooCommerce, a plugin active on more than 80,000 WordPress sites. The flaw allows unauthenticated attackers to inject malicious JavaScript that executes whenever an affected page is viewed.

What happened

On 12 June 2024, Wordfence published an advisory describing the bug. All plugin versions from 1.0.0 through 5.80.2 are vulnerable.

How the vulnerability works

The plugin fails to sanitize the “author” field in product reviews and does not properly escape that value on output. An attacker can therefore submit a review containing JavaScript, which is then stored in the database and executed for every visitor who loads the review - a classic stored XSS scenario.

Severity and impact

  • Type: Stored cross-site scripting (XSS)
  • Attack vector: Unauthenticated HTTP request that sets the “author” field
  • CVSS v3.1 score: 7.1 (High)
  • Affected versions: 1.0.0–5.80.2
  • Active installations: 80,000+ sites

Patch and mitigation

The developer released version 5.81.0 on 10 June 2024, which filters the “author” input and escapes it on output, preventing script injection. Site owners should:

  • Update Customer Reviews for WooCommerce to 5.81.0 or later immediately
  • Audit existing reviews and remove any suspicious or unauthorized content

Plugin background

Customer Reviews for WooCommerce helps merchants collect and showcase shopper feedback and has been available in the WordPress plugin directory since 2018. WordPress security guidelines require developers to sanitize user input and escape output; breaches of these rules often result in XSS vulnerabilities.

Disclosure timeline

  • 10 June 2024 - Developer releases version 5.81.0 with a fix
  • 12 June 2024 - Wordfence publishes public advisory

Keep reading

Related articles

AI powered shopping cart protocol illustration with funnel price tag alert loyalty user tapping toggleInside Google's Universal Commerce Protocol that lets AI agents tap carts, catalogs and loyalty pricing2 min readMinimalist illustration of AI checkout hub with Cart Catalog Identity cards and user tapping settingsGoogle quietly upgrades AI shopping protocol: what Cart, Catalog and Identity Linking change next2 min readMinimalist tablet health UI privacy risk toggle character adjusting shield and prescription funnelGoogle and DocMorris Launch AI Health Companion for Europe - What Changes Next2 min readMinimalist site health dashboard illustration with 404 410 toggle funnel filtering errors into green checksWorried About Endless 404 Reports In Search Console? John Mueller Reveals What They Really Mean3 min read
logo
Ready to speak with amarketing expert?
Check Paid Spend Leakage

Learn what AI says about us

Services
SEOSEO for E-commerceGoogle AdsGoogle Ads for E-commerceMeta AdsContent GenerationAI IntegrationAI SEO setup
Resources
BlogCase studies
Pricing
Pricing overviewSEO pricingGoogle Ads pricing
Industries
E-commerceAutoFashionBeautyIndustrial
© 2026 Etavrian. All Rights Reserved.
Privacy Policy & Terms of Use