Stored Cross-Site Scripting in WooCommerce Customer Reviews Plugin by WordPress

CVE-2025-14891

What is CVE-2025-14891?

The Customer Reviews for WooCommerce plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability through the 'displayName' parameter. This issue arises from inadequate input sanitization and output escaping in versions up to 5.93.1. Authenticated attackers with customer-level access can exploit this flaw to inject malicious web scripts that execute when other users visit the affected pages. Although interaction with the AJAX action can be performed without authentication, attackers must know a valid form ID, typically acquired through making a purchase. In scenarios where guest checkout is enabled, this vulnerability can potentially be exploited by unauthenticated attackers as well, provided they can obtain the necessary form ID.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References