A major security vulnerability has been identified in the widely-used Customer Reviews for WooCommerce plugin, threatening the security of over 80,000 WordPress websites globally. The flaw enables unauthenticated attackers to launch Stored Cross-Site Scripting (XSS) attacks, a serious threat that can inject malicious code into websites. This issue has triggered widespread concern in the WordPress and eCommerce communities, as the plugin is often relied upon to boost customer engagement and trust in online stores.
What Is the Plugin & Why Is It Used?
The Customer Reviews for WooCommerce plugin is designed to help eCommerce sites:
- Send automated review reminders to customers
- Display verified customer feedback
- Improve brand reputation and conversion rates
However, a critical vulnerability in its code now puts those benefits at risk—exposing businesses and users to malicious attacks.
Understanding the Vulnerability
According to the Wordfence security advisory, the flaw lies in all plugin versions up to and including 5.80.2, and is caused by:
- Lack of input sanitization — data input by users is not properly checked or filtered.
- Lack of output escaping — special characters are not neutralized before being rendered on web pages.
This allows attackers to exploit the ‘author’ parameter to inject persistent JavaScript code into web pages.
“The Customer Reviews for WooCommerce plugin… is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter… due to insufficient input sanitization and output escaping.”
What Happens If Exploited?
- Scripts are injected into your pages
- They execute every time someone visits the page
- No login or admin access is required to exploit—anyone can do it
- Could lead to:
- Stolen admin sessions
- Redirection to phishing or scam sites
- Fake login prompts
- Data exfiltration and complete site takeover
Who Is Affected?
- Any WordPress site using Customer Reviews for WooCommerce plugin version 5.80.2 or below
- Particularly risky for eCommerce businesses, as customer trust, data, and sales are at stake
- Plugins often run with high privileges—a single flaw can affect your entire site
What You Must Do Now (Critical Steps)
1. Check Your Plugin Version
Navigate to Plugins > Installed Plugins in your WordPress dashboard.
If you’re running version 5.80.2 or earlier, your site is at risk.
2. Update Immediately
Update the plugin to the latest patched version: 5.81.0 or newer.
The update fully patches the XSS vulnerability.
3. Scan Your Website
Use reputable tools like:
- Wordfence
- MalCare
- Sucuri Security Scanner
Check for any unfamiliar scripts, redirects, or admin account anomalies.
4. Backup Your Website
Before updating or cleaning, always create a full backup using UpdraftPlus or BackupBuddy.
Why This Is a Wake-Up Call for WordPress Users
This vulnerability isn’t just about one plugin—it highlights a recurring issue in WordPress plugin development:
- Developers must sanitize inputs to prevent code injection
- They must escape outputs so content is rendered safely
- eCommerce plugins need stricter security standards, as they handle sensitive data
Over 43% of all websites are powered by WordPress, and plugins are often their weakest link.
One small code oversight = massive exploit potential.
Proactive Security Practices You Should Start Today
- Always keep plugins updated—enable auto-updates for trusted plugins
- Regularly audit your plugin list—deactivate and delete unused plugins
- Enable two-factor authentication (2FA) for all admin users
- Limit user permissions—not everyone needs admin rights
- Use a Web Application Firewall (WAF) like Cloudflare or Wordfence
- Subscribe to security alerts from your plugin providers or use WPScan
Conclusion
The WooCommerce Customer Review plugin vulnerability has again exposed the reality that even popular plugins are not immune to dangerous flaws. If exploited, attackers can use Stored XSS to silently compromise user trust, damage brand reputation, and even hijack entire websites.
If you’re using this plugin, update to version 5.81.0 immediately. Don’t delay—cyberattacks move fast, but smart site owners move faster.
For More Latest News & Informations Visit Now! Digitalnewsalerts.
