Media Upload Vulnerability in Customer Reviews for WooCommerce Plugin by WooCommerce
CVE-2026-12684
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
Badges
What is CVE-2026-12684?
The Customer Reviews for WooCommerce WordPress plugin, prior to version 5.113.0, lacks necessary authentication and nonce checks in its AJAX actions related to media uploads. When the review media attachment feature is activated, this flaw permits unauthorized users to upload files to the Media Library. This can lead to the creation of unsolicited attachment posts and results in media library pollution that may exhaust disk space. Proper security measures should be implemented to mitigate this risk and ensure that only authorized users can manage media uploads.
Affected Version(s)
Customer Reviews for WooCommerce 0 < 5.113.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.