Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter
Summary
| CVE | CVE-2026-4664 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-10 02:16:03 UTC |
| Updated | 2026-04-10 02:16:03 UTC |
| Description | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: ""` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `"no"`. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.001470000 probability, percentile 0.351150000 (date 2026-04-10)
Problem Types: CWE-287 | CWE-287 CWE-287 Improper Authentication
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Ivole | Customer Reviews For WooCommerce | affected 5.103.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/changeset | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/re... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/em... | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734... | [email protected] | www.wordfence.com | |
| wordpress.org/plugins/customer-reviews-woocommerce | [email protected] | wordpress.org | |
| plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/re... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/re... | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Supanat Konprom (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-03-23T17:13:40.000Z | Vendor Notified |
| CNA | 2026-04-09T12:26:12.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.