CVE-2025-5720 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Customer Reviews for WooCommerce plugin for WordPress, affecting all versions up to and including 5.80.2. The root cause is insufficient input sanitization and output escaping of the ‘author’ parameter in customer reviews, which allows unauthenticated attackers to inject arbitrary JavaScript code into review pages. When other users or administrators visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, no user interaction required, and partial impact on confidentiality and integrity, but no impact on availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. No authenticated access is required to exploit this vulnerability, increasing its risk profile. As of the publication date, no known exploits have been reported in the wild, but the vulnerability's nature makes it a candidate for exploitation in targeted or opportunistic attacks against WooCommerce-based e-commerce sites. The plugin is widely used in WordPress environments, which are popular globally, especially in countries with significant e-commerce markets. The vulnerability could be leveraged to steal user credentials, perform unauthorized actions, or deface websites, impacting both site owners and customers.

The primary impact of CVE-2025-5720 is on the confidentiality and integrity of affected WordPress e-commerce sites using the Customer Reviews for WooCommerce plugin. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, login credentials, or other sensitive information. This can lead to account takeover, unauthorized transactions, or further compromise of the website. The vulnerability does not directly affect availability but can indirectly cause denial of service if attackers deface the site or disrupt normal operations. Organizations relying on WooCommerce for customer reviews risk reputational damage, loss of customer trust, and financial losses due to fraud or remediation costs. Since the vulnerability requires no authentication and no user interaction, it is easier to exploit at scale, increasing the risk for high-traffic e-commerce sites. The scope change means that the impact can extend beyond the plugin itself, potentially affecting other parts of the WordPress site or integrated systems.

To mitigate CVE-2025-5720, organizations should immediately apply any available patches or updates from the ivole vendor once released. Until a patch is available, implement strict input validation and sanitization on the ‘author’ parameter in customer reviews to block malicious scripts. Employ robust output encoding/escaping techniques when rendering user-generated content to prevent script execution. Restrict review submission privileges to trusted users or implement CAPTCHA mechanisms to reduce automated injection attempts. Use Web Application Firewalls (WAFs) with rules targeting XSS payloads to detect and block exploitation attempts. Regularly audit and monitor logs for suspicious review submissions or unusual activity. Educate site administrators and users about the risks of XSS and encourage the use of security plugins that enhance input filtering. Additionally, consider disabling or limiting the customer reviews feature temporarily if the risk is deemed high and no immediate patch is available. Finally, maintain regular backups and incident response plans to quickly recover from any successful exploitation.