Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'

This exploitation research plan targets a reflected Cross-Site Scripting (XSS) vulnerability in the Customer Reviews for WooCommerce plugin (<= 5.101.0). The vulnerability arises because the plugin reflects the crsearch GET parameter into the HTML search interface without proper escaping.

1. Vulnerability Summary

• Vulnerability: Reflected Cross-Site Scripting (XSS).
• Vulnerable Parameter: crsearch (GET).
• Vulnerable Component: The "All Reviews" shortcode/block UI.
• Sink: An HTML <input> element's value attribute or a text node within the search UI.
• Cause: The plugin retrieves the search query from $_GET['crsearch'] and echoes it back to the user in the search field's value attribute without using esc_attr() or esc_html().

2. Attack Vector Analysis

• Endpoint: Any public-facing WordPress page or post containing the [cusrev_all_reviews] shortcode.
• Payload Parameter: crsearch.
• Authentication: None required (Unauthenticated).
• Preconditions: A page must exist with the [cusrev_all_reviews] shortcode rendered.

3. Code Flow

1. Entry Point: A user visits a URL with the parameter ?crsearch=<payload>.
2. Shortcode Handling: WordPress processes the [cusrev_all_reviews] shortcode via CR_All_Reviews::render_all_reviews_shortcode() (defined in includes/blocks/class-cr-all-reviews.php).
3. UI Generation: This method calls display_reviews().
4. Hook Trigger: Inside display_reviews(), the plugin triggers the action hook do_action( 'cr_reviews_search' ).
5. Vulnerable Sink: The class CR_Ajax_Reviews (in includes/reviews/class-cr-ajax-reviews.php) registers a handler for this hook:

   add_action( 'cr_reviews_search', array( 'CR_Ajax_Reviews', 'display_search_ui' ) );
   

6. Reflection: The display_search_ui() function (inferred logic based on plugin behavior) retrieves $_GET['crsearch'] and echoes it directly into the value attribute of a search <input> field:

   // Predicted vulnerable code in display_search_ui()
   $search_query = isset( $_GET['crsearch'] ) ? $_GET['crsearch'] : '';
   echo '<input type="text" class="cr-search-input" value="' . $search_query . '">'; 
   

4. Nonce Acquisition Strategy

This is a Reflected XSS vulnerability in a standard GET request that renders HTML.

• Nonce Requirement: No nonce is required for the reflection to occur, as it happens during the initial page load when the shortcode is processed.
• Bypass: The vulnerability exists in the output rendering of the page itself, not an AJAX endpoint that validates nonces before execution.

5. Exploitation Strategy

1. Target URL Identification: Identify or create a page containing the [cusrev_all_reviews] shortcode.
2. Payload Construction: Use a payload designed to break out of an HTML attribute and execute JavaScript:
   • Payload: "><script>alert(document.domain)</script>
   • URL Encoded: %22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
3. Request Execution: Use the http_request tool to perform a GET request to the target page with the payload.

6. Test Data Setup

1. Plugin Activation: Ensure customer-reviews-woocommerce version 5.101.0 and woocommerce are installed and active.
2. Page Creation: Create a public page containing the necessary shortcode:

   wp post create --post_type=page --post_title="Reviews Test" --post_status=publish --post_content='[cusrev_all_reviews]'
   

3. Verify URL: Note the URL of the newly created page (e.g., /reviews-test/).

7. Expected Results

• The HTTP response will contain the literal, unescaped string: value=""><script>alert(document.domain)</script>".
• If viewed in a browser, the JavaScript alert(document.domain) will execute.

8. Verification Steps

1. Automated Check: Use the http_request tool to fetch the page with the payload and grep for the raw payload in the response body.

   response = http_request("GET", "http://wp.local/reviews-test/?crsearch=\"><script>alert(1)</script>")
   if '"><script>alert(1)</script>' in response['body']:
       print("Vulnerability Confirmed: Payload reflected unescaped.")
   

2. Manual Browser Check: Use browser_navigate to the URL and check if the script executes or if the input field's value contains the payload.

9. Alternative Approaches

If the display_search_ui hook behaves differently, the reflection may occur in other parts of the "All Reviews" block:

• Alternative Sink: Check the "Search" button label or the "Results for..." text if the search has been "submitted".
• Payload Variation: If the input is inside a JSON object localized for JavaScript (via wp_localize_script), use a payload to break out of a JS string:
  • Payload: ";alert(1);//
• AJAX Reflected XSS: If the search results are loaded via AJAX (action cr_filter_reviews), the reflection might occur in the AJAX response. This would require obtaining the nonce from the localized script variable (e.g., window.ivole_all_reviews_params.nonce or similar).