[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4LGwq5oxxCFMwem6nexEeenjZE0D8C6Iy3c5ipxF544":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-3355","customer-reviews-for-woocommerce-reflected-cross-site-scripting-via-crsearch","Customer Reviews for WooCommerce \u003C= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'","The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","customer-reviews-woocommerce",null,"\u003C=5.101.0","5.102.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 17:40:07","2026-04-16 06:44:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa851172f-3b27-4bc2-adc7-6863c2fd1c0a?source=api-prod",1,[22,23,24,25,26,27,28],"class-ivole.php","includes\u002Fblocks\u002Fclass-cr-all-reviews.php","includes\u002Freviews\u002Fclass-cr-ajax-reviews.php","includes\u002Freviews\u002Fclass-cr-reviews.php","includes\u002Fsettings\u002Fclass-cr-settings-discount-tiers.php","ivole.php","readme.txt","researched",false,3,"This exploitation research plan targets a reflected Cross-Site Scripting (XSS) vulnerability in the **Customer Reviews for WooCommerce** plugin (\u003C= 5.101.0). The vulnerability arises because the plugin reflects the `crsearch` GET parameter into the HTML search interface without proper escaping.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Reflected Cross-Site Scripting (XSS).\n*   **Vulnerable Parameter:** `crsearch` (GET).\n*   **Vulnerable Component:** The \"All Reviews\" shortcode\u002Fblock UI.\n*   **Sink:** An HTML `\u003Cinput>` element's `value` attribute or a text node within the search UI.\n*   **Cause:** The plugin retrieves the search query from `$_GET['crsearch']` and echoes it back to the user in the search field's value attribute without using `esc_attr()` or `esc_html()`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Any public-facing WordPress page or post containing the `[cusrev_all_reviews]` shortcode.\n*   **Payload Parameter:** `crsearch`.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** A page must exist with the `[cusrev_all_reviews]` shortcode rendered.\n\n### 3. Code Flow\n1.  **Entry Point:** A user visits a URL with the parameter `?crsearch=\u003Cpayload>`.\n2.  **Shortcode Handling:** WordPress processes the `[cusrev_all_reviews]` shortcode via `CR_All_Reviews::render_all_reviews_shortcode()` (defined in `includes\u002Fblocks\u002Fclass-cr-all-reviews.php`).\n3.  **UI Generation:** This method calls `display_reviews()`.\n4.  **Hook Trigger:** Inside `display_reviews()`, the plugin triggers the action hook `do_action( 'cr_reviews_search' )`.\n5.  **Vulnerable Sink:** The class `CR_Ajax_Reviews` (in `includes\u002Freviews\u002Fclass-cr-ajax-reviews.php`) registers a handler for this hook:\n    ```php\n    add_action( 'cr_reviews_search', array( 'CR_Ajax_Reviews', 'display_search_ui' ) );\n    ```\n6.  **Reflection:** The `display_search_ui()` function (inferred logic based on plugin behavior) retrieves `$_GET['crsearch']` and echoes it directly into the `value` attribute of a search `\u003Cinput>` field:\n    ```php\n    \u002F\u002F Predicted vulnerable code in display_search_ui()\n    $search_query = isset( $_GET['crsearch'] ) ? $_GET['crsearch'] : '';\n    echo '\u003Cinput type=\"text\" class=\"cr-search-input\" value=\"' . $search_query . '\">'; \n    ```\n\n### 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** vulnerability in a standard GET request that renders HTML.\n*   **Nonce Requirement:** **No nonce is required** for the reflection to occur, as it happens during the initial page load when the shortcode is processed.\n*   **Bypass:** The vulnerability exists in the output rendering of the page itself, not an AJAX endpoint that validates nonces before execution.\n\n### 5. Exploitation Strategy\n1.  **Target URL Identification:** Identify or create a page containing the `[cusrev_all_reviews]` shortcode.\n2.  **Payload Construction:** Use a payload designed to break out of an HTML attribute and execute JavaScript:\n    *   Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    *   URL Encoded: `%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E`\n3.  **Request Execution:** Use the `http_request` tool to perform a GET request to the target page with the payload.\n\n### 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `customer-reviews-woocommerce` version 5.101.0 and `woocommerce` are installed and active.\n2.  **Page Creation:** Create a public page containing the necessary shortcode:\n    ```bash\n    wp post create --post_type=page --post_title=\"Reviews Test\" --post_status=publish --post_content='[cusrev_all_reviews]'\n    ```\n3.  **Verify URL:** Note the URL of the newly created page (e.g., `\u002Freviews-test\u002F`).\n\n### 7. Expected Results\n*   The HTTP response will contain the literal, unescaped string: `value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"`.\n*   If viewed in a browser, the JavaScript `alert(document.domain)` will execute.\n\n### 8. Verification Steps\n1.  **Automated Check:** Use the `http_request` tool to fetch the page with the payload and grep for the raw payload in the response body.\n    ```python\n    response = http_request(\"GET\", \"http:\u002F\u002Fwp.local\u002Freviews-test\u002F?crsearch=\\\">\u003Cscript>alert(1)\u003C\u002Fscript>\")\n    if '\">\u003Cscript>alert(1)\u003C\u002Fscript>' in response['body']:\n        print(\"Vulnerability Confirmed: Payload reflected unescaped.\")\n    ```\n2.  **Manual Browser Check:** Use `browser_navigate` to the URL and check if the script executes or if the input field's value contains the payload.\n\n### 9. Alternative Approaches\nIf the `display_search_ui` hook behaves differently, the reflection may occur in other parts of the \"All Reviews\" block:\n*   **Alternative Sink:** Check the \"Search\" button label or the \"Results for...\" text if the search has been \"submitted\".\n*   **Payload Variation:** If the input is inside a JSON object localized for JavaScript (via `wp_localize_script`), use a payload to break out of a JS string:\n    *   Payload: `\";alert(1);\u002F\u002F`\n*   **AJAX Reflected XSS:** If the search results are loaded via AJAX (action `cr_filter_reviews`), the reflection might occur in the AJAX response. This would require obtaining the nonce from the localized script variable (e.g., `window.ivole_all_reviews_params.nonce` or similar).","The Customer Reviews for WooCommerce plugin is vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient output escaping on the 'crsearch' parameter. This parameter is reflected into the value attribute of a search input field generated by the [cusrev_all_reviews] shortcode, allowing unauthenticated attackers to execute arbitrary scripts in a victim's browser.","\u002F\u002F includes\u002Freviews\u002Fclass-cr-ajax-reviews.php:749\npublic static function get_search_field( $search_button ) {\n\t$search_val = '';\n\t$clear_class = 'cr-clear-input';\n\tif( get_query_var( 'crsearch' ) ) {\n\t\t$search_val = strval( get_query_var( 'crsearch' ) );\n\t\tif( 0 \u003C mb_strlen( $search_val ) ) {\n\t\t\t$clear_class = 'cr-clear-input cr-visible';\n\t\t}\n\t}\n\n---\n\n\u002F\u002F includes\u002Freviews\u002Fclass-cr-ajax-reviews.php:769\n\u003Cinput name=\"cr_input_text_search\" class=\"cr-input-text\" type=\"text\" placeholder=\"'. esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) .'\" value=\"' . $search_val . '\" aria-label=\"' . esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) . '\">","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.101.0\u002Fincludes\u002Freviews\u002Fclass-cr-ajax-reviews.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.102.0\u002Fincludes\u002Freviews\u002Fclass-cr-ajax-reviews.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.101.0\u002Fincludes\u002Freviews\u002Fclass-cr-ajax-reviews.php\t2026-02-18 19:08:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.102.0\u002Fincludes\u002Freviews\u002Fclass-cr-ajax-reviews.php\t2026-03-02 00:13:24.000000000 +0000\n@@ -749,9 +749,9 @@\n \t\tpublic static function get_search_field( $search_button ) {\n \t\t\t$search_val = '';\n \t\t\t$clear_class = 'cr-clear-input';\n-\t\t\tif( get_query_var( 'crsearch' ) ) {\n+\t\t\tif ( get_query_var( 'crsearch' ) ) {\n \t\t\t\t$search_val = strval( get_query_var( 'crsearch' ) );\n-\t\t\t\tif( 0 \u003C mb_strlen( $search_val ) ) {\n+\t\t\t\tif ( 0 \u003C strlen( $search_val ) ) {\n \t\t\t\t\t$clear_class = 'cr-clear-input cr-visible';\n \t\t\t\t}\n \t\t\t}\n@@ -766,7 +766,7 @@\n \t\t\t\t\t\t\t\u003Cpath fill-rule=\"evenodd\" d=\"M10.442 10.442a1 1 0 0 1 1.415 0l3.85 3.85a1 1 0 0 1-1.414 1.415l-3.85-3.85a1 1 0 0 1 0-1.415z\"\u002F>\n \t\t\t\t\t\t\t\u003Cpath fill-rule=\"evenodd\" d=\"M6.5 12a5.5 5.5 0 1 0 0-11 5.5 5.5 0 0 0 0 11zM13 6.5a6.5 6.5 0 1 1-13 0 6.5 6.5 0 0 1 13 0z\"\u002F>\n \t\t\t\t\t\t\u003C\u002Fsvg>\n-\t\t\t\t\t\t\u003Cinput name=\"cr_input_text_search\" class=\"cr-input-text\" type=\"text\" placeholder=\"'. esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) .'\" value=\"' . $search_val . '\" aria-label=\"' . esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) . '\">\n+\t\t\t\t\t\t\u003Cinput name=\"cr_input_text_search\" class=\"cr-input-text\" type=\"text\" placeholder=\"'. esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) .'\" value=\"' . esc_attr( $search_val ) . '\" aria-label=\"' . esc_attr__( 'Search customer reviews', 'customer-reviews-woocommerce' ) . '\">","1. Identify a public page or post on the target WordPress site that contains the [cusrev_all_reviews] shortcode.\n2. Construct a malicious URL by appending the 'crsearch' GET parameter with a payload designed to break out of an HTML attribute and execute JavaScript (e.g., ?crsearch=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>).\n3. Entice an unauthenticated user or administrator to click the link.\n4. When the page renders, the CR_Ajax_Reviews::get_search_field() method retrieves the 'crsearch' value and echoes it directly into the 'value' attribute of the search input field without escaping, resulting in script execution.","gemini-3-flash-preview","2026-04-16 15:24:46","2026-04-16 15:25:20",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.101.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.101.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.101.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.102.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.102.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags"]