CVE-2026-4664
Authentication Bypass in WooCommerce Reviews Plugin Allows Unauthorized Review Injection
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cusrev | customer_reviews_for_woocommerce | to 5.103.0 (inc) |
| cusrev | customer_reviews_for_woocommerce | 5.102.0 |
| cusrev | customer_reviews_for_woocommerce | 5.104.0 |
| cusrev | customer_reviews_for_woocommerce | 5.105.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Customer Reviews for WooCommerce plugin for WordPress has an authentication bypass vulnerability in all versions up to and including 5.103.0. This occurs because the function that checks permissions compares a user-supplied key against a stored secret key using strict equality, but does not verify if the stored key is non-empty. For orders without a review reminder email sent, the stored key is empty, allowing an attacker to supply an empty key to bypass the permission check.
This flaw enables unauthenticated attackers to submit, modify, and inject product reviews on any product through the REST API endpoint, even for products not associated with the referenced order. Reviews are auto-approved by default since moderation is disabled by default.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass authentication and submit or modify product reviews on any product in a WooCommerce store using the vulnerable plugin. Because reviews are auto-approved by default, attackers can inject fake or malicious reviews without any moderation.
Such unauthorized review manipulation can damage the credibility of the store, mislead customers, and potentially harm the store's reputation and sales.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the Customer Reviews for WooCommerce plugin, you should immediately update the plugin to version 5.104.0 or later, where the endpoint vulnerability in review submission has been patched.
- Update the Customer Reviews for WooCommerce plugin to version 5.104.0 or newer.
- Ensure that your WooCommerce and WordPress installations are also up to date to maintain compatibility and security.
- Consider enabling moderation for reviews if not already enabled, to prevent auto-approval of potentially malicious reviews.
- Use security best practices such as reCAPTCHA and privacy checkboxes to reduce spam and unauthorized submissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Customer Reviews for WooCommerce plugin allows unauthenticated attackers to submit, modify, and inject product reviews via the REST API without proper permission checks.
This unauthorized access and data manipulation could potentially lead to non-compliance with data integrity and security requirements found in common standards and regulations such as GDPR and HIPAA, which mandate protection against unauthorized data modification and ensuring data accuracy.
However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific regulations like GDPR or HIPAA.