CVE-2026-28132 PUBLISHED

WordPress WooCommerce Photo Reviews plugin <= 1.4.4 - Content Injection vulnerability

Assigner: Patchstack
Reserved: 25.02.2026 Published: 26.02.2026 Updated: 26.02.2026

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.

Product Status

Vendor	villatheme
Product	WooCommerce Photo Reviews
Versions	Default: unaffected affected from n/a to <= 1.4.4 (incl.)

Credits

Bonds | Patchstack Bug Bounty Program finder

References

https://patchstack.com/database/Wordpress/Plugin/woocommerce-photo-reviews/vulnerability/wordpress-woocommerce-photo-reviews-plugin-1-4-4-content-injection-vulnerability?_s_id=cve

Problem Types

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE

Impacts

Code Injection