CVE-2026-1316
📋 TL;DR
This stored XSS vulnerability in the Customer Reviews for WooCommerce WordPress plugin allows attackers to inject malicious scripts into web pages via the 'media[].href' parameter. The scripts execute when users visit compromised pages, potentially affecting all visitors. Sites using plugin versions up to 5.97.0 with 'Enable for Guests' enabled are vulnerable.
💻 Affected Systems
- Customer Reviews for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies or credentials, redirect users to phishing sites, or display unwanted advertisements.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and even if exploited, web application firewalls could block malicious payloads.
🎯 Exploit Status
Exploitation requires minimal technical skill - attackers can craft malicious URLs with JavaScript payloads. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.97.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3446777/customer-reviews-woocommerce
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Customer Reviews for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.97.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Guest Reviews
allDisable the 'Enable for Guests' setting to prevent unauthenticated exploitation
Web Application Firewall Rules
allImplement WAF rules to block XSS payloads in media[].href parameters
🧯 If You Can't Patch
- Disable the Customer Reviews for WooCommerce plugin entirely
- Implement strict Content Security Policy (CSP) headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Customer Reviews for WooCommerce' version. If version is 5.97.0 or lower, you are vulnerable.Check Version:
wp plugin list --name='customer-reviews-woocommerce' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 5.97.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing JavaScript in media[].href parameters
- Multiple failed review submissions with suspicious content
Network Indicators:
- HTTP requests with JavaScript payloads in review submission parameters
- Unusual traffic patterns to review submission endpoints
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "review") AND (http_method="POST" AND request_body CONTAINS "media[].href" AND request_body CONTAINS "javascript:")