CVE-2025-14891

Name of the Vulnerable Software and Affected Versions Customer Reviews for WooCommerce plugin for WordPress versions prior to 5.93.2

Description The Customer Reviews for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the displayName parameter. Insufficient input sanitization and output escaping allows authenticated attackers with customer-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. While invoking the AJAX action typically requires authentication, an attacker could potentially bypass this requirement if guest checkout is enabled and a valid form ID is obtained through placing an order.

Recommendations Update the Customer Reviews for WooCommerce plugin to version 5.93.2 or later.