{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4664", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-23T16:58:28.787Z", "datePublished": "2026-04-10T01:24:57.433Z", "dateUpdated": "2026-04-10T12:18:36.208Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:57.433Z"}, "affected": [{"vendor": "ivole", "product": "Customer Reviews for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.103.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product \u2014 including products not associated with the referenced order \u2014 via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`."}], "title": "Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345"}, {"url": "https://wordpress.org/plugins/customer-reviews-woocommerce/"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "timeline": [{"time": "2026-03-23T17:13:40.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T12:26:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T12:18:26.892966Z", "id": "CVE-2026-4664", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:18:36.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4664", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T12:18:26.892966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:18:31.826Z"}}], "cna": {"title": "Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ivole", "product": "Customer Reviews for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.103.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T17:13:40.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-09T12:26:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345"}, {"url": "https://wordpress.org/plugins/customer-reviews-woocommerce/"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0"}], "descriptions": [{"lang": "en", "value": "The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product \u2014 including products not associated with the referenced order \u2014 via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:57.433Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4664", "state": "PUBLISHED", "dateUpdated": "2026-04-10T12:18:36.208Z", "dateReserved": "2026-03-23T16:58:28.787Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-10T01:24:57.433Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product \u2014 including products not associated with the referenced order \u2014 via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`."}], "id": "CVE-2026-4664", "lastModified": "2026-04-24T18:01:58.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:03.710", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/customer-reviews-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.103.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Customer Reviews for WooCommerce", "source": "cna", "vendor": "ivole"}, "product": "customer_reviews_for_woocommerce", "vendor": "ivole"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T03:21:12.169267+00:00", "value": {"mitigation_remediation": ["Upgrade Customer Reviews for WooCommerce to version 5.104.0 or later", "If an upgrade cannot be performed immediately, restrict unauthenticated access to the /ivole/v1/review endpoint or enforce authentication before allowing review submissions", "Disable auto\u2011approval by setting the ivole_enable_moderation option to \"yes\" so that all reviews are moderated before display"], "summary": {"action": "Patch", "impact": "Unauthorized product review submission via API"}, "threat_synthesis": {"affected_systems": "WordPress sites that run the Customer Reviews for WooCommerce plugin version 5.103.0 or earlier are vulnerable. Administrators should verify the plugin version and treat all reviews submitted since the plugin was installed as potentially unauthenticated until the plugin is updated.", "description_and_impact": "The Customer Reviews for WooCommerce plugin contains an authentication bypass that allows an attacker to supply an empty key when sending a POST request to the review endpoint. The plugin compares the supplied key to the order\u2019s secret key without checking that a key is present, and an unset key is an empty string. Because the check uses strict equality, the empty key matches and bypasses the permission test, permitting the creation, modification, or injection of product reviews. The default configuration auto\u2011approves reviews, so malicious content can appear on storefront pages immediately, compromising the integrity of product listings.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity issue. The likely attack vector is an unauthenticated user sending a crafted POST request to the /ivole/v1/review REST endpoint. No special privileges or exploit code are required, and the vulnerability is trivially exploitable by anyone with network access to the site. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The consequence is loss of content integrity and potential reputation damage through spam or malicious reviews."}}}}, "created": "2026-04-10T08:36:15.057195+00:00", "updated": "2026-04-10T09:27:14.643143+00:00", "vendors": ["ivole", "ivole$PRODUCT$customer_reviews_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}