Analysis Report · Folder Analysis cache/customer-reviews-woocommerce_5.93.1 → cache/customer-reviews-woocommerce_5.94.0 — CVE-2025-14891

--- cache/customer-reviews-woocommerce_5.93.1/includes/reminders/class-cr-local-forms-ajax.php	2026-01-07 00:39:15.245557176 +0000+++ cache/customer-reviews-woocommerce_5.94.0/includes/reminders/class-cr-local-forms-ajax.php	2026-01-07 00:42:59.875331873 +0000@@ -53,7 +53,7 @@ 						$req = new stdClass(); 						$req->order = new stdClass(); 						$req->order->id = $record->orderId;-						$req->order->display_name = $_POST['displayName'];+						$req->order->display_name = sanitize_text_field( $_POST['displayName'] ); 						$req->order->items = array(); 						foreach( $db_items as $item ) { 							if( -1 === intval( $item['id'] ) ) {@@ -73,7 +73,7 @@  						$db_items = json_encode( $db_items ); 						$update_result = $wpdb->update( $table_name, array(-							'displayName' => $_POST['displayName'],+							'displayName' => $req->order->display_name, 							'items' => $db_items 						), array( 'formId' => $_POST['formId'] ) ); 						if( false !== $update_result ) {

I'll analyze this security-focused code diff for vulnerabilities.

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/reminders/class-cr-local-forms-ajax.php - Line 56

Old Code:
```php
$req->order->display_name = $_POST['displayName'];
```

Fixed Code:
```php
$req->order->display_name = sanitize_text_field( $_POST['displayName'] );
```

Explanation:
The original code directly assigned unsanitized user input from `$_POST['displayName']` to an object property without any sanitization. This value could contain malicious HTML/JavaScript that would later be output to the page, causing a Stored XSS vulnerability. The fix applies `sanitize_text_field()`, a WordPress sanitization function that removes HTML tags and dangerous characters, properly neutralizing the threat.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/reminders/class-cr-local-forms-ajax.php - Line 76

Old Code:
```php
'displayName' => $_POST['displayName'],
```

Fixed Code:
```php
'displayName' => $req->order->display_name,
```

Explanation:
The original code passed unsanitized `$_POST['displayName']` directly to the database update operation. By fixing the earlier vulnerability and now using the sanitized `$req->order->display_name` variable instead, this prevents malicious input from being stored in the database. This addresses both the storage vector and ensures consistency—the sanitized value from line 56 is now used for the database update, preventing Stored XSS attacks through the database layer.

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.

--- cache/customer-reviews-woocommerce_5.93.1/templates/form-customer.php	2026-01-07 00:39:15.501573043 +0000+++ cache/customer-reviews-woocommerce_5.94.0/templates/form-customer.php	2026-01-07 00:43:00.471368269 +0000@@ -8,7 +8,7 @@ <div class="cr-form-customer"> 	<div class="cr-form-customer-title-ctr"> 		<div class="cr-form-customer-title">-			<?php echo $cr_form_cust_title; ?>+			<?php echo esc_html( $cr_form_cust_title ); ?> 		</div> 	</div> 	<div class="cr-form-item-container">@@ -16,27 +16,27 @@ 			<div class="cr-form-customer-name"> 				<div class="cr-form-customer-name-preview"> 					<div class="cr-form-customer-name-preview-name">-						<?php echo $cr_form_cust_preview_name; ?>+						<?php echo esc_html( $cr_form_cust_preview_name ); ?> 					</div> 				</div> 				<div class="cr-form-customer-name-options"> 					<?php if ( $cr_form_cust_name ) : ?> 					<div class="cr-form-customer-name-option<?php if( $cr_form_cust_preview_name === $cr_form_cust_name ) echo ' cr-form-active-name' ?>">-						<span><?php echo $cr_form_cust_name; ?></span>+						<span><?php echo esc_html( $cr_form_cust_name ); ?></span> 					</div> 					<?php endif; ?> 					<?php if ( $cr_form_cust_name_w_dot ) : ?> 						<div class="cr-form-customer-name-option<?php if( $cr_form_cust_preview_name === $cr_form_cust_name_w_dot ) echo ' cr-form-active-name' ?>">-							<span><?php echo $cr_form_cust_name_w_dot; ?></span>+							<span><?php echo esc_html( $cr_form_cust_name_w_dot ); ?></span> 						</div> 					<?php endif; ?> 					<?php if ( $cr_form_cust_f_name ) : ?> 						<div class="cr-form-customer-name-option<?php if( $cr_form_cust_preview_name === $cr_form_cust_f_name ) echo ' cr-form-active-name' ?>">-							<span><?php echo $cr_form_cust_f_name; ?></span>+							<span><?php echo esc_html( $cr_form_cust_f_name ); ?></span> 						</div> 					<?php endif; ?> 					<div class="cr-form-customer-name-option<?php if( $cr_form_cust_preview_name === $cr_form_cust_anonymous ) echo ' cr-form-active-name' ?>">-						<span><?php echo $cr_form_cust_anonymous; ?></span>+						<span><?php echo esc_html( $cr_form_cust_anonymous ); ?></span> 					</div> 				</div> 			</div>@@ -47,6 +47,6 @@ 	<?php echo $cr_form_terms; ?> </div> <div class="cr-form-submit">-	<span class="cr-form-submit-label"><?php echo $cr_form_submit; ?></span>+	<span class="cr-form-submit-label"><?php echo esc_html( $cr_form_submit ); ?></span> 	<span class="cr-form-submit-loader"></span> </div>

```
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/form-customer.php Lines 11, 19, 26, 30, 34, 38, 50

Old Code:
<?php echo $cr_form_cust_title; ?>
<?php echo $cr_form_cust_preview_name; ?>
<?php echo $cr_form_cust_name; ?>
<?php echo $cr_form_cust_name_w_dot; ?>
<?php echo $cr_form_cust_f_name; ?>
<?php echo $cr_form_cust_anonymous; ?>
<?php echo $cr_form_submit; ?>

Fixed Code:
<?php echo esc_html( $cr_form_cust_title ); ?>
<?php echo esc_html( $cr_form_cust_preview_name ); ?>
<?php echo esc_html( $cr_form_cust_name ); ?>
<?php echo esc_html( $cr_form_cust_name_w_dot ); ?>
<?php echo esc_html( $cr_form_cust_f_name ); ?>
<?php echo esc_html( $cr_form_cust_anonymous ); ?>
<?php echo esc_html( $cr_form_submit ); ?>

Explanation:
The original code directly echoed user-controlled variables without escaping them. This is a classic Stored/Reflected XSS vulnerability (CWE-79). An attacker could inject malicious JavaScript code through these variables (form title, customer names, etc.), which would execute in the browsers of other users viewing the form. The fix properly applies `esc_html()` to escape HTML entities, preventing the browser from interpreting injected HTML/JavaScript tags. This is the correct WordPress escaping function for outputting text content in HTML context.
```

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.