{"id":3797,"date":"2025-07-31T10:29:32","date_gmt":"2025-07-31T10:29:32","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3797"},"modified":"2025-07-31T10:29:33","modified_gmt":"2025-07-31T10:29:33","slug":"a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/","title":{"rendered":"80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">You\u2019re running a WooCommerce store. You\u2019ve worked hard building trust with customers. Your review system is polished. A hacker injects malicious scripts into your website. Suddenly, your visitors are unknowingly exposed to malware, phishing attempts, or worse.<\/p>\n\n\n\n<p class=\"quote-section wp-block-paragraph\">A high-severity vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-5720\">CVE-2025-5720<\/a>) was recently discovered in the widely used WordPress plugin Customer Reviews for WooCommerce, affecting versions up to 5.80.2. The plugin powers over 80,000+ websites, many of them small-to-mid-sized businesses trying to boost engagement through customer feedback.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-s-going-on\">What\u2019s Going On?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A stored <a href=\"https:\/\/signmycode.com\/blog\/cross-site-scripting-xss-explained-types-impacts-and-prevention-strategies\">Cross-Site Scripting (XSS) vulnerability<\/a> was uncovered in the plugin, specifically in the way it handles the author parameter. In simple terms, the plugin fails to clean and filter user-submitted data correctly (also known as \u201csanitising input\u201d and \u201cescaping output\u201d).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That gives attackers an open door to embed malicious JavaScript code into your site. Worst of all? They don\u2019t even need to log in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This issue is so critical it\u2019s been assigned an official identifier: CVE-2025-5720.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-quick-breakdown\">Quick Breakdown<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The XSS attacks are mostly of this type:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A hacker introduces malicious JavaScript programming in the form of code in one of the input fields of a site (in this case, in the author field).<\/li>\n\n\n\n<li>This is because the site stores such code since it does not sanitise it appropriately.<\/li>\n\n\n\n<li>The code will be executed when an individual views the page.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, that means someone leaving a fake product review with script tags could compromise the backend, steal user sessions, hijack admin accounts, or even spread the attack further.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Read Also:<\/strong> <a href=\"https:\/\/certera.com\/blog\/critical-eventin-wordpress-plugin-vulnerability-puts-10000-sites-at-risk\/\">CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk\u00a0<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerability is classified under <strong>CWE-79<\/strong> (Improper Neutralisation of Input During Web Page Generation) and tagged as <strong>T1059.007<\/strong> under the <strong>MITRE ATT&amp;CK framework<\/strong>. These aren\u2019t just arbitrary codes. These are real-world security issues that attackers actively exploit.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-official-word-from-the-experts\">Official Word from the Experts<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>According to Wordfence, which issued the advisory:<\/strong><\/p>\n\n\n\n<p class=\"quote-section wp-block-paragraph\">The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018author\u2019 parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitisation and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No authentication is needed. That means attackers can launch this remotely, without ever needing access to your admin panel.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-you-can-fix-this-right-now\">How You Can Fix This \u2013 Right Now<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you&#8217;re using the Customer Reviews for WooCommerce plugin, check your version immediately.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vulnerable Versions:5.80.2 and below are vulnerable.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerability was patched in version 5.81.0 (and above). In some advisories, 5.80.3 is also listed as a fixed version. Just make sure you\u2019re running at least 5.81.0 to be safe.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-to-update\">To update:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visit your <strong>WordPress dashboard<\/strong>.<\/li>\n\n\n\n<li>Go to <strong>Plugins > Installed PluginsNavigate to Plugins > Installed Plugins<\/strong>.<\/li>\n\n\n\n<li>Find the Customer Reviews WooCommerce.<\/li>\n\n\n\n<li>Click <strong>Update Now<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t delay. A single script injection may make you lose your site, customer trust, and the reputation of your business.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So far, no public exploit is available. However, this is already being scanned by attackers. It does not need authentication because it is easy to exploit, and it impacts on very many websites. Such is the type of weakness that hackers adore. Low effort, high reward.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Read Also:<\/strong> <a href=\"https:\/\/certera.com\/blog\/elementor-pro-vulnerability-hackers-exploited-bug\/\">WordPress Plugin Elementor Pro Found Vulnerable \u2013 Hackers Exploited Bug<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When you have an e-commerce website, your plugins would be the beating heart of the business. Customer Reviews for the WooCommerce plugin are an excellent user engagement tool. However, as with any tool, it is dangerous when improperly configured or when patches have not been applied.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This has nothing to do with finger-pointing plugin developers. Mistakes happen. It involves taking the initiative on your part. And your customers will not raise the question as to why your site was hacked. They will just go away and never return.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The actual defence is the one that takes place long before the hazards can be seen. That is where <strong><a href=\"https:\/\/certera.com\/sitelock\">SiteLock Security<\/a> comes in.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/certera.com\/services\/woocommerce-security\">Protect your WooCommerce site<\/a> from future attacks with SiteLock Security<\/strong>, a proactive website security solution that helps prevent vulnerabilities before they harm. From automated malware detection <strong>to real-time threat alerts<\/strong>, it\u2019s <strong>your digital watchdog working 24\/7.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t wait for the next <a href=\"https:\/\/certera.com\/blog\/what-is-common-vulnerabilities-and-exposures-cves-guide\/\">CVE<\/a> to take down your store. <strong>Get SiteLock and secure your peace of mind.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You\u2019re running a WooCommerce store. You\u2019ve worked hard building trust with customers. Your review system is polished. A hacker injects malicious scripts into your website. Suddenly, your visitors are unknowingly exposed to malware, phishing attempts, or worse. A high-severity vulnerability (CVE-2025-5720) was recently discovered in the widely used WordPress plugin Customer Reviews for WooCommerce, affecting<span class=\"morelink d-block mt-3\"><a href=\"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":3800,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,19,20],"tags":[739,738],"class_list":["post-3797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability","category-website-security","category-wordpress-support-service","tag-cve-2025-5720","tag-woocommerce-customer-review-plugin-vulnerability","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720<\/title>\n<meta name=\"description\" content=\"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720\" \/>\n<meta property=\"og:description\" content=\"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/\" \/>\n<meta property=\"og:site_name\" content=\"EncryptedFence by Certera - Web &amp; Cyber Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/certeraLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-31T10:29:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-31T10:29:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"620\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:site\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\"},\"headline\":\"80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin\",\"datePublished\":\"2025-07-31T10:29:32+00:00\",\"dateModified\":\"2025-07-31T10:29:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/\"},\"wordCount\":734,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/critical-woocommerce-review-plugin-vulnerability.webp\",\"keywords\":[\"CVE-2025-5720\",\"WooCommerce Customer Review Plugin Vulnerability\"],\"articleSection\":[\"Vulnerability\",\"Website Security\",\"WordPress Support Service\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/\",\"name\":\"Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/critical-woocommerce-review-plugin-vulnerability.webp\",\"datePublished\":\"2025-07-31T10:29:32+00:00\",\"dateModified\":\"2025-07-31T10:29:33+00:00\",\"description\":\"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/critical-woocommerce-review-plugin-vulnerability.webp\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/critical-woocommerce-review-plugin-vulnerability.webp\",\"width\":960,\"height\":620,\"caption\":\"CVE-2025-5720 WooCommerce Vulnerabilities\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certera.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"name\":\"EncryptedFence by Certera - Web & Cyber Security Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"alternateName\":\"Certera's EncryptedFence Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certera.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\",\"name\":\"Certera\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"caption\":\"Certera\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/certeraLLC\\\/\",\"https:\\\/\\\/x.com\\\/certera_llc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/certera-llc\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\\\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.\",\"sameAs\":[\"https:\\\/\\\/certerassl.com\\\/\"],\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/author\\\/certerabguser\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720","description":"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/","og_locale":"en_US","og_type":"article","og_title":"Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720","og_description":"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.","og_url":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/","og_site_name":"EncryptedFence by Certera - Web &amp; Cyber Security Blog","article_publisher":"https:\/\/www.facebook.com\/certeraLLC\/","article_published_time":"2025-07-31T10:29:32+00:00","article_modified_time":"2025-07-31T10:29:33+00:00","og_image":[{"width":960,"height":620,"url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@certera_llc","twitter_site":"@certera_llc","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#article","isPartOf":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/"},"author":{"name":"Janki Mehta","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7"},"headline":"80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin","datePublished":"2025-07-31T10:29:32+00:00","dateModified":"2025-07-31T10:29:33+00:00","mainEntityOfPage":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/"},"wordCount":734,"commentCount":0,"publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"image":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp","keywords":["CVE-2025-5720","WooCommerce Customer Review Plugin Vulnerability"],"articleSection":["Vulnerability","Website Security","WordPress Support Service"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/certera.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/","url":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/","name":"Stored XSS Attack Hits WooCommerce Review Plugin: CVE-2025-5720","isPartOf":{"@id":"https:\/\/certera.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#primaryimage"},"image":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp","datePublished":"2025-07-31T10:29:32+00:00","dateModified":"2025-07-31T10:29:33+00:00","description":"A vulnerability advisory was issued for the WooCommerce review plugin, citing a stored XSS vulnerability affecting up to 80,000+ websites.","breadcrumb":{"@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#primaryimage","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/critical-woocommerce-review-plugin-vulnerability.webp","width":960,"height":620,"caption":"CVE-2025-5720 WooCommerce Vulnerabilities"},{"@type":"BreadcrumbList","@id":"https:\/\/certera.com\/blog\/a-dangerous-xss-vulnerability-in-popular-woocommerce-review-plugin\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certera.com\/blog\/"},{"@type":"ListItem","position":2,"name":"80,000+ WordPress Sites at Risk: A Dangerous XSS Vulnerability in Popular WooCommerce Review Plugin"}]},{"@type":"WebSite","@id":"https:\/\/certera.com\/blog\/#website","url":"https:\/\/certera.com\/blog\/","name":"EncryptedFence by Certera - Web & Cyber Security Blog","description":"","publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"alternateName":"Certera's EncryptedFence Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certera.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/certera.com\/blog\/#organization","name":"Certera","url":"https:\/\/certera.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","caption":"Certera"},"image":{"@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/certeraLLC\/","https:\/\/x.com\/certera_llc","https:\/\/www.linkedin.com\/company\/certera-llc\/"]},{"@type":"Person","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.","sameAs":["https:\/\/certerassl.com\/"],"url":"https:\/\/certera.com\/blog\/author\/certerabguser\/"}]}},"_links":{"self":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/comments?post=3797"}],"version-history":[{"count":2,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3797\/revisions"}],"predecessor-version":[{"id":3799,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3797\/revisions\/3799"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media\/3800"}],"wp:attachment":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media?parent=3797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/categories?post=3797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/tags?post=3797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}