Vulnerability in Customer Reviews for WooCommerce Plugin

A recent advisory has been issued regarding a vulnerability in the Customer Reviews for WooCommerce plugin, which is currently installed on over 80,000 websites. This plugin allows users to send email reminders to customers to leave reviews, as well as offers other features designed to increase customer engagement with a brand.

What is the Customer Reviews for WooCommerce Plugin?

The Customer Reviews for WooCommerce plugin is a tool that enables users to collect and manage customer reviews on their website. It allows users to send reminders to customers who have made a purchase, asking them to leave a review. The plugin also offers other features, such as the ability to display reviews on the website and to send notifications to administrators when a new review is left.

The Vulnerability

The vulnerability in the Customer Reviews for WooCommerce plugin makes it possible for attackers to inject scripts into web pages that execute whenever a user visits the affected page. This is due to a failure to “sanitize” inputs and “escape” outputs. Sanitizing inputs is a basic WordPress security measure that checks if uploaded data conforms to expected types and removes dangerous content like scripts. Output escaping is another security measure that ensures any special characters produced by the plugin aren’t executable.

What Does This Mean for Users?

According to the official Wordfence advisory, the Customer Reviews for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

How to Stay Safe

Users of the plugin are advised to update to version 5.81.0 or a newer version to protect themselves from this vulnerability. It is essential to keep plugins and themes up to date to prevent such vulnerabilities from being exploited. By updating the plugin, users can ensure that their website and customer data are secure.

Conclusion

In conclusion, the vulnerability in the Customer Reviews for WooCommerce plugin is a serious issue that can be exploited by attackers to inject malicious scripts into websites. However, by updating the plugin to the latest version, users can protect themselves from this vulnerability and ensure the security of their website and customer data. It is crucial to stay vigilant and keep plugins and themes up to date to prevent such vulnerabilities from being exploited.