Home

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `"no"`.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-10 | Updated 2026-04-10 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-287 Improper Authentication

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-23:Vendor Notified
2026-04-09:Disclosed

Credits

Supanat Konprom finder

References

www.wordfence.com/...-ad33-4d0c-a999-d0734df2f59b?source=cve

plugins.trac.wordpress.org/.../reviews/class-cr-endpoint.php

plugins.trac.wordpress.org/.../reviews/class-cr-endpoint.php

plugins.trac.wordpress.org/.../reviews/class-cr-endpoint.php

plugins.trac.wordpress.org/...udes/emails/class-cr-email.php

wordpress.org/plugins/customer-reviews-woocommerce/

plugins.trac.wordpress.org/...views-woocommerce/tags/5.104.0

cve.org (CVE-2026-4664)

nvd.nist.gov (CVE-2026-4664)

Download JSON