Authentication Bypass in Customer Reviews for WooCommerce Plugin by WordPress
CVE-2026-4664

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Customer Reviews For WooCommerce
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-4664?

The Customer Reviews for WooCommerce plugin allows unauthenticated attackers to bypass permission checks, enabling them to submit, modify, and inject product reviews. This vulnerability arises from the insecure handling of the 'key' parameter in the 'create_review_permissions_check()' function, which does not properly verify whether the 'ivole_secret_key' is set. As a result, attackers can exploit this flaw via the REST API endpoint to manipulate reviews for any product, drastically undermining the integrity of user-generated content. By default, reviews submitted in this manner are auto-approved, further compounding the risks associated with this vulnerability.

Affected Version(s)

Customer Reviews for WooCommerce 0 <= 5.103.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/customer-revie...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Supanat Konprom

CVE-2026-4664 Data

JSON