Login Sign Up

CVE-2025-14452

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'wpcr3_fname' parameter in the WP Customer Reviews WordPress plugin. When victims click specially crafted links, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using WP Customer Reviews plugin versions 3.7.5 and earlier are affected.

💻 Affected Systems

Products:
  • WP Customer Reviews for WordPress
Versions: All versions up to and including 3.7.5
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires plugin to be installed and active. No special configuration needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive user data.

🟠

Likely Case

Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within user context.

🟢

If Mitigated

Script execution blocked by Content Security Policy (CSP) or browser XSS filters, limiting impact to failed script execution attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS requires user interaction (clicking malicious link) but is trivial to craft and deliver via phishing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.6 or later

Vendor Advisory: https://wordpress.org/plugins/wp-customer-reviews/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Customer Reviews' and click 'Update Now'. 4. Verify update to version 3.7.6 or higher.

🔧 Temporary Workarounds

Temporary Input Sanitization

all

Add custom input sanitization for wpcr3_fname parameter in theme functions.php

add_filter('preprocess_comment', 'sanitize_wpcr3_fname'); function sanitize_wpcr3_fname($commentdata) { if(isset($_GET['wpcr3_fname'])) { $_GET['wpcr3_fname'] = sanitize_text_field($_GET['wpcr3_fname']); } return $commentdata; }

Web Application Firewall Rule

all

Block malicious payloads in wpcr3_fname parameter

WAF specific - create rule to block requests containing <script> or javascript: in wpcr3_fname parameter

🧯 If You Can't Patch

  • Disable WP Customer Reviews plugin immediately
  • Implement strict Content Security Policy (CSP) headers to block inline script execution

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 3.7.5 or lower, you are vulnerable.

Check Version:

wp plugin list --name='wp-customer-reviews' --field=version (WP-CLI) or check WordPress admin panel

Verify Fix Applied:

After updating, verify version shows 3.7.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests containing 'wpcr3_fname' parameter with script tags or javascript: payloads
  • Unusual referrer URLs containing encoded script payloads

Network Indicators:

  • Outbound connections to suspicious domains following visits to pages with wpcr3_fname parameter
  • Unusual cookie theft patterns

SIEM Query:

source="web_logs" AND uri="*wpcr3_fname=*" AND (uri="*<script>*" OR uri="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-14452
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 19, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14452, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)