WordPress Social Reviews & Recommendations Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Social Reviews & Recommendations plugin for WordPress, affecting all versions through 2.5. The issue arises from inadequate input sanitization and output escaping in the 'trim_text' function, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts execute when users access the affected pages. Although version 2.5 includes a partial patch, the vulnerability persists in earlier versions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an unauthenticated user can inject a script into a review via the vulnerable 'trim_text' function. This can be done by submitting a review that includes the script, which will then be executed when the review is viewed.

Remediation

Users are advised to update the Social Reviews & Recommendations plugin to version 2.6 or later, where this vulnerability has been patched.