What the vulnerability does
01Description
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.
Explanation of Vulnerability in Simple Terms
02Summary
Customer Reviews for WooCommerce versions up to 5.93.1 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts into review content that execute in the browsers of other users viewing those reviews. The vulnerability affects the site's integrity and can expose visitor data, though availability is not impacted.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts into reviews that execute when other users view them, potentially stealing data or performing actions on their behalf.
Potential impact on your site
04Site Impact
Visitors and staff viewing reviews could have their sessions compromised or data stolen; site reputation damaged if malicious reviews are published.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account (e.g., customer or contributor) on the WooCommerce site; no user interaction required from victims.
Key dates
06Disclosure timeline
January 7, 2026
CVE published
April 8, 2026
Record updated
