CVE-2025-14891
📋 TL;DR
This stored XSS vulnerability in the Customer Reviews for WooCommerce WordPress plugin allows attackers with customer-level access to inject malicious scripts via the 'displayName' parameter. The scripts execute when users view pages containing the injected content. Sites with guest checkout enabled are also vulnerable to unauthenticated attacks if attackers obtain a valid form ID by placing an order.
💻 Affected Systems
- Customer Reviews for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies or credentials, potentially compromising customer accounts and sensitive information.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only legitimate user data is displayed.
🎯 Exploit Status
Exploitation requires obtaining a valid form ID through order placement. Technical details are publicly available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.93.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3424980/customer-reviews-woocommerce
Restart Required: No
Instructions:
1. Update the Customer Reviews for WooCommerce plugin to the latest version via WordPress admin panel. 2. Verify the update was successful by checking the plugin version.
🔧 Temporary Workarounds
Disable Guest Checkout
allPrevents unauthenticated exploitation by requiring user accounts for all orders.
Navigate to WooCommerce > Settings > Accounts & Privacy > Enable guest checkout (uncheck)
Temporarily Disable Plugin
allCompletely removes the vulnerability until patching is possible.
Navigate to WordPress admin > Plugins > Customer Reviews for WooCommerce > Deactivate
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules.
- Monitor for suspicious activity in WordPress logs and review orders for unusual displayName values.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 5.93.1 or earlier, the system is vulnerable.Check Version:
wp plugin list --name='Customer Reviews for WooCommerce' --field=versionVerify Fix Applied:
Verify the plugin version is higher than 5.93.1. Test the displayName parameter with XSS payloads to ensure sanitization is working.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with displayName parameter containing script tags or JavaScript code.
- Multiple orders from the same IP with suspicious displayName values.
Network Indicators:
- HTTP requests with displayName parameter containing <script> tags or JavaScript payloads.
SIEM Query:
source="wordpress.log" AND "displayName" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/reminders/class-cr-local-forms-ajax.php#L76
- https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/templates/form-customer.php#L19
- https://plugins.trac.wordpress.org/changeset/3424980/customer-reviews-woocommerce
- https://www.wordfence.com/threat-intel/vulnerabilities/id/88e4eec2-2861-4d1d-97eb-67887f59c745?source=cve
