Security News > 2020 > May > Hackers Can Inject Code Into WordPress Sites via Flaw in Product Review Plugin
A vulnerability addressed recently in the WP Product Review Lite plugin for WordPress could be abused by unauthenticated attackers to hack websites.
WP Product Review Lite is designed for creating product reviews on WordPress websites.
Last week, the team of developers behind the plugin addressed an unauthenticated persistent Cross-Site Scripting vulnerability that could have been exploited to inject code into all of a website's product pages.
The issue, Sucuri security researchers explain, is that, although all user input data is sanitized, one of the employed WordPress functions can be bypassed if the attacker sets a parameter inside an HTML attribute.
Sucuri reported the vulnerability on May 13 and a patch was released the next day, with version 3.7.6 of WP Product Review Lite.