@gopa4 – Do you have a link for information on this? I tried searching, but can’t find any mention of this, so it’s hard to research when it can’t be found on any official CVE list.
I got this by automatic email from my webhost (from Plesk/WP toolkit scans). There is no any further information on this. Plesk has WP toolkit:
Only this: “WP Toolkit has detected new vulnerabilities on WordPress sites you manage. It is strongly recommended that you update or disable vulnerable assets on these sites. You can also set WP Toolkit to automatically take action when vulnerabilities are detected.”
I found the following, but they are linking to the source code of a previous version. This was already fixed in 3.6.8 and the researcher looks like they are issuing tons of bogus alerts for many plugins. I’m not sure what to do about it, since there is no contact info for the researcher, and the issue is no longer present.
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-customer-reviews/wp-customer-reviews-368-authenticated-subscriber-sensitive-information-exposure