Skip to main content

Customer Reviews WooCommerce CVE-2026-13771

| EUVDEUVD-2026-42526 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-q7qc-p277-8cmp
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Contributor authentication is required (PR:L); a victim must visit the injected page (UI:R); impact crosses into victim browser sessions via scope change (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:48 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.4

DescriptionCVE.org

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, 5.113.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire contributor WordPress account
Delivery
Craft 'color' shortcode attribute with JavaScript payload
Exploit
Publish page containing malicious trust badge shortcode
Execution
Victim user browses to injected page
Persist
Injected script executes in victim's browser
Impact
Steal session cookie or perform admin actions on victim's behalf

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with contributor-level access or higher - contributor is the default lowest WordPress role permitted to create and submit posts containing shortcodes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) captures the key risk dimensions: network reachability (AV:N), no special conditions (AC:L), low-privilege authentication required (PR:L), and a scope change (S:C) that projects impact onto other users' browser sessions rather than the server itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a contributor-level WordPress account - for example, a registered WooCommerce customer who has been granted the ability to submit product reviews or posts - embeds a trust badge shortcode with a crafted 'color' attribute containing a JavaScript payload (e.g., a cookie-stealing script) into a new or edited page and publishes it. Any authenticated user, including a site administrator, who subsequently visits that page has the malicious script executed silently in their browser, allowing the attacker to capture session tokens and perform administrator-level actions without further credentials. …
Remediation Update the Customer Reviews for WooCommerce plugin to the version incorporating SVN changeset 3597201, referenced at https://plugins.trac.wordpress.org/changeset?reponame=&old=3597201%40customer-reviews-woocommerce&new=3597201%40customer-reviews-woocommerce - the exact released version number containing this fix is not independently confirmed from available input data, so administrators should update to the latest available version via the WordPress admin dashboard (Plugins > Installed Plugins > Update) or via WP-CLI ('wp plugin update customer-reviews-woocommerce'). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-0080 HIGH POC
8.8 Feb 13

The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, wh

CVE-2026-12684 MEDIUM POC
6.5 Jul 16

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or non

CVE-2022-38470 HIGH
8.8 Sep 23

Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. Rated

CVE-2022-38134 HIGH
8.8 Sep 23

Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at W

CVE-2022-40194 HIGH
7.5 Sep 23

Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at Wo

CVE-2024-3731 MEDIUM
6.1 Apr 19

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' pa

CVE-2024-1044 MEDIUM
5.3 Feb 29

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a mi

CVE-2024-3869 MEDIUM
4.3 Apr 16

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing

CVE-2024-3243 MEDIUM
4.3 Apr 16

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing c

CVE-2023-51692 MEDIUM
4.3 Feb 28

Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce.38.1. Rated medium severity (CVSS 4.3), t

CVE-2024-10614 MEDIUM
4.3 Nov 16

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capabili

Share

CVE-2026-13771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy