WooCommerce Plugin Bug Hits 80K+ Sites

A security alert has been released regarding the Customer Reviews for WooCommerce plugin, which is currently active on more than 80,000 websites. The issue involves a stored cross-site scripting (XSS) flaw that allows unauthenticated users to inject malicious scripts into affected sites.

Customer Reviews for WooCommerce Vulnerability

The Customer Reviews for WooCommerce plugin is a popular tool designed to help online retailers improve customer engagement. It allows store owners to send automated emails to buyers, reminding them to leave feedback after making a purchase.

By encouraging customers to submit reviews, the plugin supports businesses in building credibility and increasing trust with potential buyers. This feedback mechanism is vital in maintaining a strong online presence, especially for WooCommerce-based websites.

However, despite its popularity and usefulness, a serious security vulnerability has recently been discovered in the plugin. The flaw affects all versions up to and including version 5.80.2, potentially putting thousands of websites at risk.

The vulnerability was brought to light by Wordfence, a well-known WordPress security firm. They issued a public advisory detailing the nature of the threat and offering guidance for users on how to protect their sites.

According to Wordfence, the issue is classified as a Stored Cross-Site Scripting (XSS) vulnerability. This type of vulnerability enables attackers to insert malicious scripts into webpages, which are then executed when users access those pages.

The alarming part is that this vulnerability can be exploited by unauthenticated users, meaning attackers don’t need admin access or login credentials to inject harmful code into a site.

The core issue lies in how the plugin handles user input and output. Specifically, it fails to sanitise data entered into the ‘author’ field and also does not properly escape this output when displayed on the site.

Input sanitisation is a basic yet crucial security step that filters user-submitted data, ensuring it doesn’t contain harmful code or unexpected elements. Its absence leaves websites open to code injection attacks.

Similarly, output escaping ensures that data displayed on a site—especially from user input—cannot be treated as executable code. When output is not escaped, browsers may run dangerous scripts, exposing users and administrators to serious risks.

In this case, attackers can use the plugin’s flaw to inject JavaScript or other scripts into product review sections. Whenever someone visits a compromised page, that script runs silently in the background.

These scripts could be used to steal cookies, hijack sessions, redirect users to phishing sites, or perform other malicious activities without the user’s knowledge.

With the plugin active on over 80,000 WordPress websites, the scale of the risk is considerable. Sites that rely on this tool to boost their e-commerce presence could unknowingly be placing their customers and their own data at risk.

Fortunately, the developers have since released an update—version 5.81.0—that addresses the issue by fixing the sanitisation and escaping routines. Wordfence and security experts strongly advise all users to upgrade immediately.

Failing to update could leave websites vulnerable to automated attacks, as hackers often scan the internet looking for outdated versions of plugins with known exploits.

In conclusion, while the Customer Reviews for WooCommerce plugin remains a valuable asset for many online businesses, this incident highlights the importance of regular security updates and following best practices when it comes to plugin management.