PT-2026-1554 · Unknown+1 · Woocommerce+1
Angus Girvan
·
Published
2026-01-07
·
Updated
2026-01-07
·
CVE-2025-14891
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Customer Reviews for WooCommerce plugin for WordPress versions prior to 5.93.2
Description
The Customer Reviews for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the
displayName parameter. Insufficient input sanitization and output escaping allows authenticated attackers with customer-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. While invoking the AJAX action typically requires authentication, an attacker could potentially bypass this requirement if guest checkout is enabled and a valid form ID is obtained through placing an order.Recommendations
Update the Customer Reviews for WooCommerce plugin to version 5.93.2 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Customer Reviews For Woocommerce
Woocommerce