Customer Reviews for WooCommerce < 5.17.0 - Contributor+ Stored XSS
Description
The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Customer Reviews for WooCommerce plugin before 5.17.0 suffers from stored XSS due to insufficient validation of shortcode attributes, allowing contributor-level users to inject malicious scripts.
Vulnerability
The Customer Reviews for WooCommerce plugin versions before 5.17.0 lack proper validation and escaping of shortcode attributes [1]. When a user with contributor role or above embeds the shortcode in a page or post, the attribute values are output directly without sanitization, enabling stored cross-site scripting.
Exploitation
An attacker must have at least contributor-level access to WordPress. They can create or edit a post/page containing the vulnerable shortcode and inject malicious JavaScript into the attribute. When other users view that content, the script executes in their browser.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to session hijacking, defacement, or further malicious actions within the WordPress admin panel.
Mitigation
The issue is fixed in version 5.17.0 [1]. Users should update the plugin immediately. No known workarounds are available without updating.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <5.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/fdaba4d1-950d-4512-95de-cd43fe9e73e5/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.