CVE-2025-14891 is a stored cross-site scripting vulnerability identified in the Customer Reviews for WooCommerce plugin for WordPress, affecting all versions up to and including 5.93.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'displayName' parameter. Authenticated attackers with at least customer-level access can inject arbitrary JavaScript payloads into pages that are then stored and executed when other users access those pages. Although the AJAX action related to this vulnerability can be invoked without authentication, exploitation requires knowledge of a valid form ID, which is only obtainable by placing an order. If guest checkout is enabled, unauthenticated attackers can exploit this vulnerability by first placing an order to retrieve the form ID, thereby lowering the barrier to exploitation. The vulnerability impacts confidentiality and integrity by allowing script execution in the context of other users, potentially leading to session hijacking, data theft, or defacement. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (customer-level), no user interaction, and a scope change. No public exploits have been reported yet. This vulnerability is particularly relevant for e-commerce websites using WooCommerce with the affected plugin, as it can be leveraged to target customers and site administrators.

For European organizations operating e-commerce platforms using WooCommerce with the Customer Reviews for WooCommerce plugin, this vulnerability can lead to significant risks. Exploitation could result in theft of customer session tokens, personal data exposure, or unauthorized actions performed on behalf of users, undermining customer trust and violating data protection regulations such as GDPR. The ability for unauthenticated attackers to exploit the flaw if guest checkout is enabled increases the attack surface, especially for retailers who allow guest purchases. This could lead to reputational damage, financial losses, and potential regulatory penalties. Additionally, the scope change indicated by the CVSS vector means that the vulnerability affects components beyond the initially compromised privileges, potentially impacting site administrators or other users. Given the widespread use of WooCommerce in Europe, especially in countries with strong e-commerce markets like Germany, the UK, France, and the Netherlands, the impact could be broad if not mitigated promptly.

1. Immediate patching: Apply updates from the plugin vendor as soon as they are released to fix the input sanitization and output escaping issues. 2. If patches are not yet available, implement strict input validation on the 'displayName' parameter to reject or sanitize potentially malicious input. 3. Employ output encoding techniques on all user-supplied data rendered in web pages to prevent script execution. 4. Disable guest checkout temporarily if possible, to reduce the risk of unauthenticated exploitation. 5. Monitor web server and application logs for suspicious AJAX requests or unusual form ID access patterns. 6. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads and known attack vectors related to WooCommerce plugins. 7. Educate site administrators and users about the risks of XSS and encourage the use of strong authentication and session management practices. 8. Conduct regular security assessments and penetration testing focused on plugin vulnerabilities and input handling.