Attack Vectors
WP Customer Reviews (slug: wp-customer-reviews) is affected by a High-severity reflected cross-site scripting (XSS) vulnerability in versions up to and including 3.7.5, tracked as CVE-2025-14452 (CVSS 7.2, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
The attack is delivered through a crafted request that uses the ‘wpcr3_fname’ parameter. Because it is reflected, the most common real-world scenario is an attacker distributing a link (via email, social media, ads, support tickets, or direct messages) and attempting to get someone to click it.
No login is required for an attacker to attempt exploitation. While the vulnerability relies on a user action (such as clicking a link), it can still be a practical risk for organizations where staff routinely interact with inbound messages, customer feedback, partner requests, or campaigns that drive traffic to WordPress pages.
Security Weakness
The root issue is insufficient input sanitization and output escaping for the ‘wpcr3_fname’ parameter in WP Customer Reviews. This allows an attacker’s script content to be reflected into a page response, where it can run in a visitor’s browser under the context of your site.
From a governance and compliance perspective, reflected XSS is not “just a website bug.” It is a trust and integrity issue: it enables unauthorized behavior in a user’s browser that appears to come from your legitimate domain, which can undermine confidence in your brand and your digital channels.
Remediation: Update WP Customer Reviews to version 3.7.6 or newer (patched). Validate that the plugin update is applied across all WordPress instances where the plugin is installed, including staging or regional sites.
Technical or Business Impacts
This vulnerability is rated High because it can be exploited remotely without authentication, and it can affect users who interact with a malicious link. Potential impacts include brand impersonation, user session risk, and manipulation of what users see or submit on affected pages.
For marketing directors and business owners, the most meaningful risks are business-facing: loss of trust in high-visibility pages, compromised campaign landing-page integrity, and increased likelihood of fraud attempts that use your domain’s credibility. If a user is tricked into interacting with a malicious link, an attacker may be able to run scripts that alter page behavior in the browser and attempt to capture sensitive information entered by the user.
Compliance and leadership teams should view this as a potential customer data exposure and integrity issue (depending on user behavior and what’s captured on impacted pages). Even limited incidents can trigger reputational damage, support burden, and potential reporting obligations depending on your industry and internal policies.
Similar Attacks
Reflected XSS is a widely used technique in real-world attacks because it can be delivered through seemingly legitimate links. For general background and well-known examples, see:
Recent Comments