EUVD-2026-23207

| CVE-2026-3355 MEDIUM

2026-04-16 Wordfence

XSS WordPress Customer Reviews For Woocommerce

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 16, 2026 - 07:50 vuln.today

DescriptionNVD

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected Cross-Site Scripting in Customer Reviews for WooCommerce plugin allows unauthenticated attackers to inject arbitrary JavaScript via the unescaped 'crsearch' parameter, affecting all versions up to 5.101.0. Exploitation requires social engineering (victim must click a malicious link), but successful attacks can steal session cookies, perform actions as the logged-in user, or redirect to phishing sites. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-23207 vulnerability details – vuln.today

Back