Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update
CVE-2026-8499

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Helpfulcrowd Product Reviews
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-8499?

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowd_validate_token() function using a loose comparison operator (!=) instead of a strict comparison (!==) when validating the token parameter, while the corresponding REST route /wp-json/helpfulcrowd/v1/update-settings is registered with a permission_callback of __return_true, making it reachable by unauthenticated users; submitting a JSON boolean true as the token value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke helpfulcrowd_settings_endpoint() and write arbitrary attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option via update_option() without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.

Affected Version(s)

Helpfulcrowd Product Reviews 0 <= 1.2.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/helpfulcrowd-p...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 13, 2026

Credit

Abhirup Konwar

CVE-2026-8499 Data

JSON