CVE-2026-3355: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the...
MEDIUM
CVSS 5.5
Exploit Available
1 PoC
Published: April 16, 2026 | Last Modified: April 16, 2026
Description
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ghostwire Analysis — What This Means Practically
- Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
- 1 proof-of-concept exploit available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.
- 12 articles from independent security sources have covered this vulnerability, indicating significant industry attention.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.
Proof-of-Concept Exploits (1)
Security Coverage (12 articles)
References