What the vulnerability does
01Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce Photo Reviews versions 1.4.4 and earlier contain a vulnerability that allows attackers to read sensitive information without authentication. The flaw stems from improper input handling that exposes data to unauthorized access. No user interaction or special privileges are required to exploit this issue. Site administrators should update to a version newer than 1.4.4.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the plugin without logging in.
Potential impact on your site
04Site Impact
Customer data or plugin configuration may be exposed to unauthenticated visitors.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 26, 2026
CVE published
April 28, 2026
Record updated