80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 5.00 out of 5)
Loading...
Published: July 31, 2025
CVE-2025-5720 WooCommerce Vulnerabilities

You’re running a WooCommerce store. You’ve worked hard building trust with customers. Your review system is polished. A hacker injects malicious scripts into your website. Suddenly, your visitors are unknowingly exposed to malware, phishing attempts, or worse.

A high-severity vulnerability (CVE-2025-5720) was recently discovered in the widely used WordPress plugin Customer Reviews for WooCommerce, affecting versions up to 5.80.2. The plugin powers over 80,000+ websites, many of them small-to-mid-sized businesses trying to boost engagement through customer feedback.

What’s Going On?

A stored Cross-Site Scripting (XSS) vulnerability was uncovered in the plugin, specifically in the way it handles the author parameter. In simple terms, the plugin fails to clean and filter user-submitted data correctly (also known as “sanitising input” and “escaping output”).

That gives attackers an open door to embed malicious JavaScript code into your site. Worst of all? They don’t even need to log in.

This issue is so critical it’s been assigned an official identifier: CVE-2025-5720.

Quick Breakdown

The XSS attacks are mostly of this type:

  • A hacker introduces malicious JavaScript programming in the form of code in one of the input fields of a site (in this case, in the author field).
  • This is because the site stores such code since it does not sanitise it appropriately.
  • The code will be executed when an individual views the page.

In this case, that means someone leaving a fake product review with script tags could compromise the backend, steal user sessions, hijack admin accounts, or even spread the attack further.

Read Also: CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk 

The vulnerability is classified under CWE-79 (Improper Neutralisation of Input During Web Page Generation) and tagged as T1059.007 under the MITRE ATT&CK framework. These aren’t just arbitrary codes. These are real-world security issues that attackers actively exploit.

Official Word from the Experts

According to Wordfence, which issued the advisory:

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitisation and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No authentication is needed. That means attackers can launch this remotely, without ever needing access to your admin panel.

How You Can Fix This – Right Now

If you’re using the Customer Reviews for WooCommerce plugin, check your version immediately.

Vulnerable Versions:5.80.2 and below are vulnerable.

The vulnerability was patched in version 5.81.0 (and above). In some advisories, 5.80.3 is also listed as a fixed version. Just make sure you’re running at least 5.81.0 to be safe.

To update:

  • Visit your WordPress dashboard.
  • Go to Plugins > Installed PluginsNavigate to Plugins > Installed Plugins.
  • Find the Customer Reviews WooCommerce.
  • Click Update Now.

Don’t delay. A single script injection may make you lose your site, customer trust, and the reputation of your business.

So far, no public exploit is available. However, this is already being scanned by attackers. It does not need authentication because it is easy to exploit, and it impacts on very many websites. Such is the type of weakness that hackers adore. Low effort, high reward.

Read Also: WordPress Plugin Elementor Pro Found Vulnerable – Hackers Exploited Bug

Conclusion

When you have an e-commerce website, your plugins would be the beating heart of the business. Customer Reviews for the WooCommerce plugin are an excellent user engagement tool. However, as with any tool, it is dangerous when improperly configured or when patches have not been applied.

This has nothing to do with finger-pointing plugin developers. Mistakes happen. It involves taking the initiative on your part. And your customers will not raise the question as to why your site was hacked. They will just go away and never return.

The actual defence is the one that takes place long before the hazards can be seen. That is where SiteLock Security comes in.

Protect your WooCommerce site from future attacks with SiteLock Security, a proactive website security solution that helps prevent vulnerabilities before they harm. From automated malware detection to real-time threat alerts, it’s your digital watchdog working 24/7.

Don’t wait for the next CVE to take down your store. Get SiteLock and secure your peace of mind.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.