CVE-2026-8499
Received Received - Intake
Authorization Bypass via PHP Type Juggling in Helpfulcrowd Product Reviews

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8499
EUVD
EUVD-2026-35302
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
helpfulcrowd product_reviews to 1.2.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Helpfulcrowd Product Reviews plugin for WordPress has a vulnerability called Authorization Bypass via PHP Type Juggling in versions up to and including 1.2.9.

This happens because the function helpfulcrowd_validate_token() uses a loose comparison operator (!=) instead of a strict one (!==) when checking the token parameter.

The REST route /wp-json/helpfulcrowd/v1/update-settings is accessible to unauthenticated users because its permission callback always returns true.

By submitting a JSON boolean true as the token value, PHP's loose comparison treats it as equal to the secret token string, bypassing the token check.

This allows unauthenticated attackers to call the helpfulcrowd_settings_endpoint() and write arbitrary key-value pairs into the plugin's stored configuration in the WordPress database without any filtering or sanitization.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify the plugin's stored configuration arbitrarily.

Attackers can write attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option.

Because there is no sanitization or allowlist filtering, this can lead to unauthorized changes in the plugin's behavior or settings.

The CVSS score of 5.3 indicates a medium severity impact with no confidentiality or availability impact but with integrity impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart