The Customer Reviews for WooCommerce plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) via the 'displayName' parameter due to inadequate input sanitization and output escaping. This flaw affects all versions up to and including 5.93.1. Authenticated attackers with customer-level privileges can inject arbitrary web scripts that execute when users access the affected pages. While the AJAX action related to this vulnerability can be invoked without authentication, exploitation requires knowledge of a valid form ID, which is typically obtained by placing an order. Guest checkout settings may allow unauthenticated exploitation if the attacker can acquire a form ID. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial impact on confidentiality and integrity.

Successful exploitation allows attackers to execute arbitrary scripts in the context of affected users, potentially leading to theft of sensitive information or session hijacking. The impact is limited to confidentiality and integrity with no availability impact. The requirement of customer-level access or knowledge of a valid form ID limits the ease of exploitation, but guest checkout settings may increase risk by allowing unauthenticated attackers to exploit the vulnerability after placing an order.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling guest checkout to reduce risk from unauthenticated attackers. Restricting customer-level access and monitoring for suspicious activity related to form IDs may help mitigate exploitation. Avoid using vulnerable versions of the plugin if possible and monitor vendor channels for updates.