Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media
Summary
| CVE | CVE-2026-12684 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-16 07:16:47 UTC |
| Updated | 2026-07-16 19:16:44 UTC |
| Description | The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Problem Types: CWE-434 | CWE-434 Unrestricted Upload of File with Dangerous Type | CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Customer Reviews For WooCommerce | affected 5.113.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/169d3455-dd98-4b0b-b6c1-6c9c28aa9707 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Tom C (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.