CVE-2026-4664

Vulnerability Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `"no"`.

CVSS Score

Related Weaknesses (CWE)

References

• https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.1
• https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.1
• https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.1
• https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.1
• https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocom
• https://wordpress.org/plugins/customer-reviews-woocommerce/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a99