Close Menu
    Demo
    Marketing

    WooCommerce Review Plugin Flaw Exposes Over 80,000 Websites to Dangerous XSS Attacks

    adminBy
    WooCommerce Review Plugin Flaw Exposes Over 80,000 Websites to Dangerous XSS Attacks - Digitalnewsalerts

    A major security vulnerability has been identified in the widely-used Customer Reviews for WooCommerce plugin, threatening the security of over 80,000 WordPress websites globally. The flaw enables unauthenticated attackers to launch Stored Cross-Site Scripting (XSS) attacks, a serious threat that can inject malicious code into websites. This issue has triggered widespread concern in the WordPress and eCommerce communities, as the plugin is often relied upon to boost customer engagement and trust in online stores.

    What Is the Plugin & Why Is It Used?

    The Customer Reviews for WooCommerce plugin is designed to help eCommerce sites:

    • Send automated review reminders to customers
    • Display verified customer feedback
    • Improve brand reputation and conversion rates

    However, a critical vulnerability in its code now puts those benefits at risk—exposing businesses and users to malicious attacks.

    Understanding the Vulnerability

    According to the Wordfence security advisory, the flaw lies in all plugin versions up to and including 5.80.2, and is caused by:

    • Lack of input sanitization — data input by users is not properly checked or filtered.
    • Lack of output escaping — special characters are not neutralized before being rendered on web pages.

    This allows attackers to exploit the ‘author’ parameter to inject persistent JavaScript code into web pages.

    “The Customer Reviews for WooCommerce plugin… is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter… due to insufficient input sanitization and output escaping.”

    What Happens If Exploited?

    • Scripts are injected into your pages
    • They execute every time someone visits the page
    • No login or admin access is required to exploit—anyone can do it
    • Could lead to:
      • Stolen admin sessions
      • Redirection to phishing or scam sites
      • Fake login prompts
      • Data exfiltration and complete site takeover

    Who Is Affected?

    • Any WordPress site using Customer Reviews for WooCommerce plugin version 5.80.2 or below
    • Particularly risky for eCommerce businesses, as customer trust, data, and sales are at stake
    • Plugins often run with high privileges—a single flaw can affect your entire site

    What You Must Do Now (Critical Steps)

    1. Check Your Plugin Version

    Navigate to Plugins > Installed Plugins in your WordPress dashboard.
    If you’re running version 5.80.2 or earlier, your site is at risk.

    2. Update Immediately

    Update the plugin to the latest patched version: 5.81.0 or newer.
    The update fully patches the XSS vulnerability.

    3. Scan Your Website

    Use reputable tools like:

    • Wordfence
    • MalCare
    • Sucuri Security Scanner

    Check for any unfamiliar scripts, redirects, or admin account anomalies.

    4. Backup Your Website

    Before updating or cleaning, always create a full backup using UpdraftPlus or BackupBuddy.

    Why This Is a Wake-Up Call for WordPress Users

    This vulnerability isn’t just about one plugin—it highlights a recurring issue in WordPress plugin development:

    • Developers must sanitize inputs to prevent code injection
    • They must escape outputs so content is rendered safely
    • eCommerce plugins need stricter security standards, as they handle sensitive data

    Over 43% of all websites are powered by WordPress, and plugins are often their weakest link.

    One small code oversight = massive exploit potential.

    Proactive Security Practices You Should Start Today

    • Always keep plugins updated—enable auto-updates for trusted plugins
    • Regularly audit your plugin list—deactivate and delete unused plugins
    • Enable two-factor authentication (2FA) for all admin users
    • Limit user permissions—not everyone needs admin rights
    • Use a Web Application Firewall (WAF) like Cloudflare or Wordfence
    • Subscribe to security alerts from your plugin providers or use WPScan

    Conclusion

    The WooCommerce Customer Review plugin vulnerability has again exposed the reality that even popular plugins are not immune to dangerous flaws. If exploited, attackers can use Stored XSS to silently compromise user trust, damage brand reputation, and even hijack entire websites.

    If you’re using this plugin, update to version 5.81.0 immediately. Don’t delay—cyberattacks move fast, but smart site owners move faster.

    For More Latest News & Informations Visit Now! Digitalnewsalerts.

    Share.

    Related Posts

    Add A Comment
    Leave A Reply

    digitalnewsalerts - logo

    Stay up to date with the latest news updates from reliable sources by visiting Digitalnewsalerts. Stay informed with breaking news, insightful analysis, and in-depth features from expert voices to effortlessly navigate the dynamic news landscape.

                                                                                                                                      Digital News Alerts © 2025. All rights reserved.