Media Upload Vulnerability in Customer Reviews for WooCommerce Plugin by WooCommerce
CVE-2026-12684

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
16 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-12684?

The Customer Reviews for WooCommerce WordPress plugin, prior to version 5.113.0, lacks necessary authentication and nonce checks in its AJAX actions related to media uploads. When the review media attachment feature is activated, this flaw permits unauthorized users to upload files to the Media Library. This can lead to the creation of unsolicited attachment posts and results in media library pollution that may exhaust disk space. Proper security measures should be implemented to mitigate this risk and ensure that only authorized users can manage media uploads.

Affected Version(s)

Customer Reviews for WooCommerce 0 < 5.113.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tom C
WPScan
.