Wordfence has disclosed a high-severity stored cross-site scripting (XSS) vulnerability in Customer Reviews for WooCommerce, a plugin active on more than 80,000 WordPress sites. The flaw allows unauthenticated attackers to inject malicious JavaScript that executes whenever an affected page is viewed.
What happened
On 12 June 2024, Wordfence published an advisory describing the bug. All plugin versions from 1.0.0 through 5.80.2 are vulnerable.
How the vulnerability works
The plugin fails to sanitize the “author” field in product reviews and does not properly escape that value on output. An attacker can therefore submit a review containing JavaScript, which is then stored in the database and executed for every visitor who loads the review - a classic stored XSS scenario.
Severity and impact
- Type: Stored cross-site scripting (XSS)
- Attack vector: Unauthenticated HTTP request that sets the “author” field
- CVSS v3.1 score: 7.1 (High)
- Affected versions: 1.0.0–5.80.2
- Active installations: 80,000+ sites
Patch and mitigation
The developer released version 5.81.0 on 10 June 2024, which filters the “author” input and escapes it on output, preventing script injection. Site owners should:
- Update Customer Reviews for WooCommerce to 5.81.0 or later immediately
- Audit existing reviews and remove any suspicious or unauthorized content
Plugin background
Customer Reviews for WooCommerce helps merchants collect and showcase shopper feedback and has been available in the WordPress plugin directory since 2018. WordPress security guidelines require developers to sanitize user input and escape output; breaches of these rules often result in XSS vulnerabilities.
Disclosure timeline
- 10 June 2024 - Developer releases version 5.81.0 with a fix
- 12 June 2024 - Wordfence publishes public advisory
.svg)
.svg)
.svg)