CVE-2026-28132 MEDIUM

CVE-2026-28132: WordPress WooCommerce Photo Reviews plugin <= 1.4.4 - Content Injection vulnerability

Vendor Villatheme
Product WooCommerce Photo Reviews
Weakness CWE-80 · XSS · basic
Published February 26, 2026
Last update April 28, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce Photo Reviews versions 1.4.4 and earlier contain a vulnerability that allows attackers to read sensitive information without authentication. The flaw stems from improper input handling that exposes data to unauthorized access. No user interaction or special privileges are required to exploit this issue. Site administrators should update to a version newer than 1.4.4.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the plugin without logging in.

Potential impact on your site

04Site Impact

Customer data or plugin configuration may be exposed to unauthenticated visitors.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 26, 2026 CVE published
April 28, 2026 Record updated