Cybersecurity Vulnerabilities

CVE-2025-12123: Unauthenticated XSS Threat in Customer Reviews Collector for WooCommerce

November 27, 2025 - By 

Overview

CVE-2025-12123 identifies a reflected Cross-Site Scripting (XSS) vulnerability affecting the Customer Reviews Collector for WooCommerce plugin for WordPress. This vulnerability exists in all versions up to and including 4.6.1. It allows unauthenticated attackers to inject arbitrary web scripts into pages if they can trick a user into clicking a malicious link.

Technical Details

The vulnerability lies in the insufficient input sanitization and output escaping of the email-text parameter. An attacker can craft a malicious URL containing JavaScript code within the email-text parameter. When a user clicks on this crafted link, the injected JavaScript will execute in the user’s browser, potentially allowing the attacker to steal cookies, redirect the user to a malicious website, or perform other actions on behalf of the user.

Specifically, the plugin fails to properly sanitize the email-text input before rendering it in the HTML output. This lack of sanitization enables the execution of arbitrary JavaScript code.

CVSS Analysis

The vulnerability has a CVSS score of 6.1, which is considered a MEDIUM severity. This score reflects the fact that user interaction is required to trigger the vulnerability. The CVSS vector string is not available, but the score indicates moderate exploitability and impact.

Possible Impact

A successful XSS attack can have several serious consequences:

  • Account Takeover: An attacker could potentially steal session cookies, allowing them to impersonate the victim and gain unauthorized access to their WordPress account.
  • Malware Distribution: The injected script could redirect users to malicious websites that distribute malware.
  • Defacement: An attacker could modify the content of the affected page, defacing the website.
  • Data Theft: The attacker might be able to access sensitive information displayed on the page.

Mitigation or Patch Steps

The recommended mitigation is to update the Customer Reviews Collector for WooCommerce plugin to the latest version. It is crucial to ensure your WordPress plugins are always up-to-date to protect against known vulnerabilities.

If updating the plugin is not immediately possible, consider temporarily disabling the plugin until the update can be performed. Also, educate users to be cautious about clicking on links from untrusted sources.

References

WordPress Plugins Trac – Changeset
Wordfence Threat Intelligence

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *