Yotpo Reviews for WooCommerce <= 2.0.4 - Arbitrary Settings Update via CSRF
Description
The Yotpo Reviews for WooCommerce plugin up to version 2.0.4 lacks CSRF protection on its settings update, allowing an attacker to change plugin settings by tricking an admin into clicking a malicious link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Yotpo Reviews for WooCommerce plugin up to version 2.0.4 lacks CSRF protection on its settings update, allowing an attacker to change plugin settings by tricking an admin into clicking a malicious link.
Vulnerability
The Yotpo Reviews for WooCommerce plugin, versions up to and including 2.0.4, lacks a nonce check when updating its settings. This CSRF vulnerability allows an attacker to make a logged-in administrator unknowingly change the plugin's settings via a crafted request. The affected endpoint does not validate the request origin, relying only on the user's active session.
Exploitation
An attacker needs to craft a malicious link or page that, when visited by an authenticated administrator, triggers a request to the plugin's settings update endpoint. No additional privileges or special network position is required other than normal web access. The admin must be logged into WordPress during the visit. The attacker can then modify arbitrary plugin settings, such as API keys or display options.
Impact
Successful exploitation permits unauthorized modification of the plugin's settings. Depending on the configuration options, this could lead to disruption of functionality (e.g., disabling reviews), data exfiltration if API keys are changed to attacker-controlled endpoints, or further compromise if the plugin integrates with external services. The attack does not directly achieve code execution or privilege escalation, but may indirectly aid such attacks.
Mitigation
As of the available references [1], no fix has been released. The plugin's vendor has not provided a patched version. Users are advised to discontinue use of the plugin or implement a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoint without a valid nonce. The plugin is not listed in the CISA KEV as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Yotpo Reviews for WooCommerce plugindescription
- Range: <=2.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing nonce check on the plugin's settings-update handler allows Cross-Site Request Forgery (CSRF)."
Attack vector
An attacker crafts a malicious link or form that, when visited by a logged-in administrator, silently submits a settings-update request to the plugin. Because the plugin fails to include or verify a nonce on its settings-update handler [CWE-352], the browser automatically attaches the admin's session cookies, and the request is processed as if the admin intended it [ref_id=1]. This allows the attacker to arbitrarily change the plugin's configuration.
Affected code
The advisory does not specify a particular file or function. The Yotpo Reviews for WooCommerce plugin's settings-update handler (the entire settings page) lacks a nonce check [ref_id=1].
What the fix does
No patch or fixed version has been published by the vendor [ref_id=1]. The advisory recommends that the plugin implement a nonce check (e.g., using WordPress's `wp_nonce_field()` and `check_admin_referer()`) on the settings-update handler to ensure the request originated from the intended admin interface and not from a cross-site request [ref_id=1].
Preconditions
- inputThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL or page.
- configThe target site must have the Yotpo Reviews for WooCommerce plugin installed and activated (version <= 2.0.4).
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/7ec9e493-bc48-4a5d-8c7e-34beaba892aemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.