WordPress Customer Reviews for WooCommerce plugin <= 5.3.5 - Cross-Site Request Forgery (CSRF) vulnerability
Description
Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Customer Reviews for WooCommerce <=5.3.5 allows attackers to perform unauthorized actions by tricking an admin into clicking a malicious link.
Vulnerability
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 5.3.5. This CSRF vulnerability exists because the plugin fails to properly verify nonces when processing certain requests, allowing an attacker to craft a malicious link or form submission that, when triggered by an authenticated administrator, can perform unintended actions on the administrator's behalf. The affected plugin is actively maintained with later versions (e.g., 5.109.0) available [1][2].
Exploitation
To exploit this vulnerability, an attacker must trick an authenticated WordPress administrator into visiting a crafted URL or submitting a malicious form while logged into the admin panel. The attacker does not require any prior authentication or elevated privileges. The CSRF attack can be delivered via social engineering, such as embedding a malicious link in an email or on a website. When the administrator unwittingly performs the action, the plugin executes the forged request as if it were legitimate, using the administrator's session [2].
Impact
Successful exploitation of the CSRF vulnerability allows an attacker to perform unauthorized actions within the plugin's administrative interface, such as changing settings, deleting data, or performing other operations that require administrative privileges. The impact depends on the specific actions the attacker triggers, but it could lead to partial compromise of the affected WooCommerce store's review configuration or data manipulation. The highest risk is the manipulation of plugin settings, which could affect review collection, display, or other functionalities [2].
Mitigation
The issue is fixed in Customer Reviews for WooCommerce version 5.3.6 and later. Users should update their plugin to the latest version (currently 5.109.0 as of the advisory) via the WordPress plugin repository. No other workarounds are documented. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=5.3.5
- Range: <= 5.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.