CVE-2026-1316 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Customer Reviews for WooCommerce plugin for WordPress, affecting all versions up to and including 5.97.0. The root cause is insufficient input sanitization and output escaping of the 'media[].href' parameter, which is used to handle media URLs within customer reviews. When the plugin's 'Enable for Guests' feature is enabled, unauthenticated attackers can submit crafted review data containing malicious JavaScript payloads. These payloads are stored persistently and executed in the browsers of any users who visit the affected review pages, leading to potential theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of users. The vulnerability has a CVSS v3.1 base score of 7.2, reflecting its high severity due to network attack vector, no required privileges or user interaction, and a scope change affecting confidentiality and integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-79, indicating improper neutralization of input during web page generation. Given WooCommerce's widespread use in e-commerce, this vulnerability poses a significant risk to online stores relying on this plugin for customer reviews.

The exploitation of this vulnerability can lead to significant confidentiality and integrity breaches for organizations running WooCommerce with the vulnerable Customer Reviews plugin. Attackers can inject malicious scripts that execute in the context of users' browsers, potentially stealing authentication cookies, session tokens, or other sensitive data. This can result in account takeover, unauthorized transactions, or defacement of e-commerce sites, damaging brand reputation and customer trust. Since the vulnerability requires no authentication and can be triggered by any visitor if guest reviews are enabled, the attack surface is broad. The availability impact is minimal, but the compromise of user data and site integrity can have severe business consequences, including regulatory penalties if customer data is exposed. Organizations with high traffic e-commerce platforms are particularly at risk, as successful exploitation can affect many users simultaneously.

Immediate mitigation steps include disabling the 'Enable for Guests' option in the Customer Reviews for WooCommerce plugin to prevent unauthenticated review submissions. Administrators should implement strict input validation and output encoding for all user-supplied data, particularly the 'media[].href' parameter, to neutralize malicious scripts. Employing a Web Application Firewall (WAF) with rules targeting XSS payloads can help detect and block exploitation attempts. Regularly audit and sanitize existing review content to remove any injected scripts. Monitor logs for suspicious activities related to review submissions. Until an official patch is released, consider temporarily disabling or replacing the plugin with a secure alternative. Additionally, ensure WordPress core and all plugins are kept up to date, and educate site administrators about the risks of enabling guest reviews without proper security controls.