CVE-2026-13771 Overview
CVE-2026-13771 is a stored Cross-Site Scripting (XSS) vulnerability in the Customer Reviews for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 5.113.0. It resides in the handling of the color attribute of a plugin-provided shortcode, where input is neither sanitized nor properly escaped on output. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript into pages. The injected script executes in the browser of any visitor who loads an affected page, enabling session theft, forced actions, or redirection to attacker-controlled infrastructure. The issue is tracked under CWE-79.
Critical Impact
Contributor-level accounts can persist JavaScript payloads into WooCommerce store pages, exposing administrators and customers to session hijacking and account takeover when they view the affected content.
Affected Products
- Customer Reviews for WooCommerce plugin for WordPress — all versions up to and including 5.113.0
- WordPress sites using the plugin's trust badge shortcode functionality
- WooCommerce storefronts that permit contributor or higher role registrations
Discovery Timeline
- 2026-07-09 - CVE-2026-13771 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-13771
Vulnerability Analysis
The vulnerability exists in the trust badge component of the Customer Reviews for WooCommerce plugin. The relevant logic is implemented in includes/trust-badge/class-cr-trust-badge.php and rendered through templates/badge-small.php. When a user embeds the plugin's trust badge shortcode into a post or page, the color attribute is passed through to the template output without adequate sanitization or contextual escaping.
Because the value is rendered into an HTML context, an attacker can break out of the intended attribute or style context and inject a script payload. Any subsequent request that renders the page evaluates the payload in the visitor's browser under the site's origin, granting access to session cookies not marked HttpOnly, DOM content, and authenticated actions.
Root Cause
The root cause is missing input validation on the shortcode color parameter combined with unsafe output rendering in the badge template. Neither sanitize_hex_color() nor esc_attr()/esc_html() is enforced on the attribute before it is placed into the rendered markup, allowing arbitrary characters through the shortcode pipeline into the DOM.
Attack Vector
Exploitation requires an authenticated account with contributor-level privileges or above. The attacker creates or edits a post containing the plugin's trust badge shortcode and supplies a crafted color value containing an attribute-breakout sequence and a JavaScript payload. Once the content is published or previewed by a privileged reviewer, the stored payload executes in that user's browser session. Because the CVSS scope is changed, the impact can extend to other users viewing the injected page. See the Wordfence Vulnerability Report and the WordPress Plugin Changeset for the vulnerable code paths.
Detection Methods for CVE-2026-13771
Indicators of Compromise
- Post or page content containing the plugin's trust badge shortcode with a color attribute that includes quotes, angle brackets, javascript:, on*= handlers, or <script> fragments.
- Unexpected <script> tags or inline event handlers rendered in the DOM near trust badge markup.
- New or modified posts authored by contributor-level accounts that embed shortcodes shortly after account creation.
- Outbound browser requests from admin sessions to unfamiliar domains referenced by the injected script.
Detection Strategies
- Scan the wp_posts table for shortcode invocations of the trust badge where the color parameter contains non-hexadecimal characters.
- Enable WordPress audit logging to record shortcode changes, post revisions, and role assignments for lower-privileged users.
- Deploy a web application firewall (WAF) rule that inspects POST bodies to /wp-admin/post.php for script fragments inside shortcode attributes.
Monitoring Recommendations
- Alert on creation of contributor or author accounts followed by rapid post publication.
- Monitor administrator sessions for anomalous XHR or fetch activity originating from post preview or edit screens.
- Track plugin version inventory across managed WordPress instances and flag any deployment running 5.113.0 or earlier.
How to Mitigate CVE-2026-13771
Immediate Actions Required
- Update the Customer Reviews for WooCommerce plugin to the version released after 5.113.0 that addresses this issue.
- Audit existing posts and pages for the trust badge shortcode and remove any suspicious color values.
- Review contributor-level and above accounts, revoke unused accounts, and reset credentials for accounts that may have been misused.
Patch Information
The vendor addressed the flaw in the release following 5.113.0. Refer to the WordPress Plugin Changeset for the code fix and to the Wordfence Vulnerability Report for advisory details. Administrators should apply the update through the WordPress plugin manager or via automated update tooling.
Workarounds
- Restrict who can publish or edit posts by removing the edit_posts capability from untrusted roles until the plugin is patched.
- Temporarily disable the Customer Reviews for WooCommerce plugin on sites that cannot be updated immediately.
- Deploy a Content Security Policy (CSP) that disallows inline scripts and unauthorized script sources to reduce the impact of stored XSS payloads.
# Update the plugin via WP-CLI
wp plugin update customer-reviews-woocommerce
# Verify installed version
wp plugin get customer-reviews-woocommerce --field=version
# Search post content for suspicious shortcode usage
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[cr_trust_badge%' AND post_content REGEXP 'color=\"[^\"]*[<>\"\\\\]';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

