CVE-2026-4664
published 2026-04-10CVE-2026-4664: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to…
PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.67%
47.5th percentile
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `"no"`.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivole | customer_reviews_for_woocommerce | <= 5.103.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhv8-553j-r4x3: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5
ghsa_unreviewed·2026-04-10
CVE-2026-4664 [MEDIUM] CWE-287 GHSA-jhv8-553j-r4x3: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order —
VulDB
ivole Customer Reviews for WooCommerce Plugin up to 5.103.0 on WordPress REST API Endpoint /ivole/v1/review create_review_permissions_check key improper authentication
vuldb·2026-04-10·CVSS 5.3
CVE-2026-4664 [MEDIUM] ivole Customer Reviews for WooCommerce Plugin up to 5.103.0 on WordPress REST API Endpoint /ivole/v1/review create_review_permissions_check key improper authentication
A vulnerability classified as critical was found in ivole Customer Reviews for WooCommerce Plugin up to 5.103.0 on WordPress. This impacts the function create_review_permissions_check of the file /ivole/v1/review of the component REST API Endpoint. The manipulation of the argument key results in improper authentication.
This vulnerability is identified as CVE-2026-4664. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0https://wordpress.org/plugins/customer-reviews-woocommerce/https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve
2026-04-10
Published