Reflected Cross-Site Scripting Vulnerability in WP Customer Reviews Plugin by WordPress
CVE-2025-14452

7.2HIGH

Key Information:

Vendor

WordPress
Status
WP Customer Reviews
Vendor
CVE Published:
19 February 2026

What is CVE-2025-14452?

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting through the 'wpcr3_fname' parameter due to inadequate input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious scripts into web pages. If a user is deceived into clicking a crafted link, the scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions performed on behalf of the user.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Customer Reviews * <= 3.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-customer-re...
https://plugins.trac.wordpress.org/browser/wp-customer-re...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
Itthidej Aramsri
Powpy
Waris Damkham
Varakorn Chanthasri
Peerapat Samatathanyakorn
Sopon Tangpathum (SoNaJaa)
JSON
.