diff --git a/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice b/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice
new file mode 100644
index 00000000000..bd2040e7d3e
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Remove the potential for a Reflected XSS attack in relation to a dismissable notice in the edit comments screen.
diff --git a/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php b/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
index b54e9c10b3a..f1e46bb139f 100644
--- a/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
+++ b/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
@@ -73,26 +73,32 @@ class ReviewsCommentsOverrides {
 	 * @return void
 	 */
 	protected function display_reviews_moved_notice() : void {
-		$dismiss_url = wp_nonce_url(
-			add_query_arg(
-				[
-					'wc-hide-notice' => urlencode( static::REVIEWS_MOVED_NOTICE_ID ),
-				]
-			),
-			'woocommerce_hide_notices_nonce',
-			'_wc_notice_nonce'
-		);
 		?>
-
 		<div class="notice notice-info is-dismissible">
 			<p><strong><?php esc_html_e( 'Product reviews have moved!', 'woocommerce' ); ?></strong></p>
 			<p><?php esc_html_e( 'Product reviews can now be managed from Products > Reviews.', 'woocommerce' ); ?></p>
 			<p class="submit">
 				<a href="<?php echo esc_url( admin_url( 'edit.php?post_type=product&page=product-reviews' ) ); ?>" class="button-primary"><?php esc_html_e( 'Visit new location', 'woocommerce' ); ?></a>
 			</p>
-			<button type="button" class="notice-dismiss" onclick="window.location = '<?php echo esc_url( $dismiss_url ); ?>';"><span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span></button>
-		</div>
 
+			<form action="<?php echo esc_url( admin_url( 'edit-comments.php' ) ); ?>" method="get">
+				<input type="hidden" name="wc-hide-notice" value="<?php echo esc_attr( static::REVIEWS_MOVED_NOTICE_ID ); ?>" />
+
+				<?php if ( ! empty( $_GET['comment_status'] ) ): ?>
+					<input type="hidden" name="comment_status" value="<?php echo esc_attr( $_GET['comment_status'] ); ?>" />
+				<?php endif; ?>
+
+				<?php if ( ! empty( $_GET['paged'] ) ): ?>
+					<input type="hidden" name="paged" value="<?php echo esc_attr( $_GET['paged'] ); ?>" />
+				<?php endif; ?>
+
+				<?php wp_nonce_field( 'woocommerce_hide_notices_nonce', '_wc_notice_nonce' ); ?>
+
+				<button type="submit" class="notice-dismiss">
+					<span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span>
+				</button>
+			</form>
+		</div>
 		<?php
 	}
 
diff --git a/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php b/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
index 295d78a5119..e0ef8fa4e53 100644
--- a/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
+++ b/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
@@ -205,7 +205,9 @@ class ReviewsCommentsOverridesTest extends WC_Unit_Test_Case {
 
 		$this->assertStringContainsString( '<div class="notice notice-info is-dismissible">', $output );
 		$this->assertStringContainsString( '<a href="http://' . WP_TESTS_DOMAIN . '/wp-admin/edit.php?post_type=product&#038;page=product-reviews" class="button-primary">', $output );
-		$this->assertStringContainsString( '<button type="button" class="notice-dismiss" onclick="window.location = \'?wc-hide-notice=product_reviews_moved&#038;_wc_notice_nonce=' . $nonce . '\';">', $output );
+		$this->assertStringContainsString( '<input type="hidden" name="wc-hide-notice" value="product_reviews_moved" />', $output );
+		$this->assertStringContainsString( '<input type="hidden" id="_wc_notice_nonce" name="_wc_notice_nonce" value="' . $nonce . '" />', $output );
+		$this->assertStringNotContainsString( 'onclick', $output );
 	}
 
 	/**