CVE-2026-8499

Deferred Deferred - Pending Action

Authorization Bypass via PHP Type Juggling in Helpfulcrowd Product Reviews

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-09

Generated

2026-06-29

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-8499

EUVD

EUVD-2026-35302

Affected Vendors & Products

Vendor	Product	Version / Range
helpfulcrowd	product_reviews	to 1.2.9 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-843	The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Attack-Flow Graph

Detection Guidance

This vulnerability involves unauthorized access to the REST route /wp-json/helpfulcrowd/v1/update-settings via a token parameter that can be bypassed using a JSON boolean true value. Detection can focus on monitoring HTTP requests to this REST endpoint, especially those that include the token parameter with a boolean true value or unusual payloads attempting to update plugin settings.

You can detect attempts by inspecting web server logs or using command-line tools to search for suspicious requests. For example, using grep on Apache or Nginx logs to find requests to the vulnerable endpoint:

grep "/wp-json/helpfulcrowd/v1/update-settings" /var/log/apache2/access.log
grep "/wp-json/helpfulcrowd/v1/update-settings" /var/log/nginx/access.log

Additionally, you can use curl to test if the endpoint is reachable and vulnerable by sending a POST request with the token set to true in JSON:

curl -X POST https://yourwordpresssite.com/wp-json/helpfulcrowd/v1/update-settings -H "Content-Type: application/json" -d '{"token":true}' -v

Monitoring for unexpected changes in the helpfulcrowd_options WordPress database option may also indicate exploitation.

Compliance Impact

This vulnerability allows unauthenticated attackers to modify plugin configuration settings arbitrarily by bypassing authorization checks. Such unauthorized modifications could potentially lead to improper handling or exposure of personal or sensitive data managed by the plugin.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability for attackers to alter plugin settings without authentication could undermine data protection controls required by these regulations, potentially leading to non-compliance.

Executive Summary

The Helpfulcrowd Product Reviews plugin for WordPress has a vulnerability called Authorization Bypass via PHP Type Juggling in versions up to and including 1.2.9.

This happens because the function helpfulcrowd_validate_token() uses a loose comparison operator (!=) instead of a strict one (!==) when checking the token parameter.

The REST route /wp-json/helpfulcrowd/v1/update-settings is accessible to unauthenticated users because its permission callback always returns true.

By submitting a JSON boolean true as the token value, PHP's loose comparison treats it as equal to the secret token string, bypassing the token check.

This allows unauthenticated attackers to call the helpfulcrowd_settings_endpoint() and write arbitrary key-value pairs into the plugin's stored configuration in the WordPress database without any filtering or sanitization.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify the plugin's stored configuration arbitrarily.

Attackers can write attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option.

Because there is no sanitization or allowlist filtering, this can lead to unauthorized changes in the plugin's behavior or settings.

The CVSS score of 5.3 indicates a medium severity impact with no confidentiality or availability impact but with integrity impact.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable REST endpoint and updating the plugin to a version that fixes the authorization bypass.

Temporarily disable or restrict access to the /wp-json/helpfulcrowd/v1/update-settings REST route, for example by using a web application firewall (WAF) or server-level access controls.
Update the Helpfulcrowd Product Reviews plugin to a version later than 1.2.9 where the authorization bypass via PHP type juggling is fixed.
If an update is not immediately available, consider applying custom code to enforce strict token validation or disable the plugin until a patch is released.

Additionally, monitor your WordPress database for unauthorized changes to the helpfulcrowd_options option and review logs for suspicious activity.

Hi! I’m here to help you understand CVE-2026-8499. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70