CVE-2025-14891 is a stored cross-site scripting vulnerability identified in the Customer Reviews for WooCommerce plugin for WordPress, present in all versions up to and including 5.93.1. The root cause is insufficient sanitization and escaping of the 'displayName' parameter during web page generation, classified under CWE-79. This flaw allows authenticated users with at least customer-level privileges to inject arbitrary JavaScript code into review pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions. Although the AJAX endpoint related to this vulnerability can be triggered without authentication, exploitation requires knowledge of a valid form ID, which is only obtainable by placing an order. If guest checkout is enabled, unauthenticated attackers can exploit this vector, increasing risk. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability's presence in a widely used e-commerce plugin makes it a significant concern for WordPress sites relying on Customer Reviews for WooCommerce.

The primary impact of CVE-2025-14891 is the potential for attackers to execute arbitrary JavaScript in the context of affected WordPress sites, leading to theft of sensitive user information such as cookies, session tokens, or personal data. This can facilitate account takeover, unauthorized transactions, or phishing attacks targeting site users. The vulnerability undermines the integrity of customer reviews and can damage the trustworthiness of e-commerce platforms using the plugin. Since the attack can be performed by authenticated customers or, under certain conditions, unauthenticated users, the attack surface is relatively broad. The compromise of user sessions or data can lead to regulatory compliance issues, reputational damage, and financial losses for affected organizations. Given WooCommerce's extensive use worldwide, the vulnerability poses a risk to a large number of online stores, especially those with guest checkout enabled and active customer review features.

To mitigate CVE-2025-14891, organizations should immediately update the Customer Reviews for WooCommerce plugin to a patched version once available. Until a patch is released, administrators should consider disabling the customer review feature or restricting access to review submission and display pages to trusted users only. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the 'displayName' parameter can reduce exploitation risk. Additionally, disabling guest checkout temporarily can prevent unauthenticated attackers from obtaining valid form IDs necessary for exploitation. Site owners should also audit existing reviews for injected scripts and remove any malicious content. Enforcing Content Security Policy (CSP) headers to restrict script execution sources can further mitigate the impact of any successful XSS attempts. Regular security scanning and monitoring for unusual activity related to review submissions are recommended to detect exploitation attempts early.