CVE-2025-5720 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Customer Reviews for WooCommerce plugin for WordPress, developed by ivole. This vulnerability exists in all versions up to and including 5.80.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'author' parameter in customer reviews. An unauthenticated attacker can exploit this flaw by injecting arbitrary malicious scripts into the 'author' field of a review. These scripts are then stored on the server and executed in the browsers of any users who view the affected review pages. Because the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. The CVSS 3.1 base score is 6.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), scope changed (S:C), and low impact on confidentiality and integrity, with no impact on availability. The changed scope indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting the broader WordPress site. No known exploits in the wild have been reported yet. The vulnerability can lead to session hijacking, defacement, phishing, or distribution of malware by executing arbitrary JavaScript in the context of the affected website. Since WooCommerce is widely used for e-commerce, exploitation could also lead to theft of customer data or manipulation of reviews, damaging trust and business reputation.

For European organizations using WordPress with the Customer Reviews for WooCommerce plugin, this vulnerability poses a significant risk to website integrity and user trust. E-commerce sites relying on this plugin could have their customer reviews manipulated to inject malicious scripts, potentially leading to theft of user credentials, session tokens, or personal data. This could result in financial fraud, loss of customer confidence, and regulatory repercussions under GDPR due to compromised personal data. The stored nature of the XSS means that once exploited, the malicious script can affect many visitors over time, amplifying the damage. Additionally, attackers could use the vulnerability to perform phishing attacks or deliver malware, impacting the availability and reputation of the affected sites. Given the interconnected nature of European e-commerce and the importance of online retail, such attacks could have cascading effects on business operations and consumer trust across the region.

1. Immediate update or patching: Organizations should monitor the ivole plugin updates and apply any security patches as soon as they are released. If no patch is currently available, consider temporarily disabling the Customer Reviews for WooCommerce plugin or restricting access to the review submission functionality. 2. Input validation and sanitization: Implement additional server-side input validation and output escaping for the 'author' parameter in customer reviews, using secure coding practices and libraries designed to prevent XSS. 3. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block malicious payloads targeting the 'author' parameter in review submissions. 4. Content Security Policy (CSP): Implement a strict CSP header to restrict the execution of unauthorized scripts on the website, mitigating the impact of any injected scripts. 5. User privilege review: Since the vulnerability requires low privileges, review user roles and permissions to limit review submission capabilities to trusted users if possible. 6. Monitoring and incident response: Enable logging and monitoring for unusual review submissions or script injection attempts and prepare an incident response plan to quickly remediate any exploitation. 7. Educate users and administrators about the risks of XSS and encourage regular security audits of plugins and themes.