CVE-2025-5720: 
WordPress vulnerability analysis and mitigation

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' parameter in versions up to and including 5.80.2. This vulnerability was discovered and reported by Wordfence, with the disclosure date being July 31, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'author' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks targeting users who view the compromised content (NVD).

Users should update the Customer Reviews for WooCommerce plugin to a version newer than 5.80.2 when available. Until then, website administrators should monitor review submissions carefully and consider implementing additional input validation at the web application firewall level (NVD).