CVE-2026-4664
Received Received - Intake
Authentication Bypass in WooCommerce Reviews Plugin Allows Unauthorized Review Injection

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product β€” including products not associated with the referenced order β€” via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `"no"`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4664
EUVD
EUVD-2026-21264
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
cusrev customer_reviews_for_woocommerce to 5.103.0 (inc)
cusrev customer_reviews_for_woocommerce 5.102.0
cusrev customer_reviews_for_woocommerce 5.104.0
cusrev customer_reviews_for_woocommerce 5.105.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the Customer Reviews for WooCommerce plugin allows unauthenticated attackers to submit, modify, and inject product reviews via the REST API without proper permission checks.

This unauthorized access and data manipulation could potentially lead to non-compliance with data integrity and security requirements found in common standards and regulations such as GDPR and HIPAA, which mandate protection against unauthorized data modification and ensuring data accuracy.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific regulations like GDPR or HIPAA.

Executive Summary

The Customer Reviews for WooCommerce plugin for WordPress has an authentication bypass vulnerability in all versions up to and including 5.103.0. This occurs because the function that checks permissions compares a user-supplied key against a stored secret key using strict equality, but does not verify if the stored key is non-empty. For orders without a review reminder email sent, the stored key is empty, allowing an attacker to supply an empty key to bypass the permission check.

This flaw enables unauthenticated attackers to submit, modify, and inject product reviews on any product through the REST API endpoint, even for products not associated with the referenced order. Reviews are auto-approved by default since moderation is disabled by default.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass authentication and submit or modify product reviews on any product in a WooCommerce store using the vulnerable plugin. Because reviews are auto-approved by default, attackers can inject fake or malicious reviews without any moderation.

Such unauthorized review manipulation can damage the credibility of the store, mislead customers, and potentially harm the store's reputation and sales.

Mitigation Strategies

To mitigate the vulnerability in the Customer Reviews for WooCommerce plugin, you should immediately update the plugin to version 5.104.0 or later, where the endpoint vulnerability in review submission has been patched.

  • Update the Customer Reviews for WooCommerce plugin to version 5.104.0 or newer.
  • Ensure that your WooCommerce and WordPress installations are also up to date to maintain compatibility and security.
  • Consider enabling moderation for reviews if not already enabled, to prevent auto-approval of potentially malicious reviews.
  • Use security best practices such as reCAPTCHA and privacy checkboxes to reduce spam and unauthorized submissions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart