VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 16, 2024· Updated Apr 8, 2026

Customer Reviews for WooCommerce <= 5.61.0 - Missing Authorization to Authenticated (Subscriber+) Import Cancellation

CVE-2024-10614

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing capability check in cancel_import() allows authenticated attackers with Subscriber-level access to cancel imports and check status in WooCommerce Customer Reviews plugin.

Vulnerability

The Customer Reviews for WooCommerce plugin for WordPress contains a missing capability check on the cancel_import() function in all versions up to and including 5.61.0 [1]. This function is intended for administrative use but lacks proper authorization, making it accessible to any authenticated user regardless of their role.

Exploitation

An attacker needs only a valid WordPress account with Subscriber-level access or higher. They can call the cancel_import() function via AJAX or direct request to cancel an ongoing import process or check its status. No additional privileges or user interaction are required.

Impact

Successful exploitation allows an attacker to cancel imports or check the status of import operations. This could disrupt import workflows and potentially lead to denial of service or information disclosure about import status. The impact is limited to the import functionality.

Mitigation

The plugin has been patched in version 5.62.0 or later. Users should update to the latest version (5.109.0 as of the reference) [1]. No workarounds are provided. The vulnerability is not listed in CISA KEV.

References
  1. Customer Reviews for WooCommerce

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

1
r3188169
https://plugins.svn.wordpress.org/customer-reviews-woocommercevia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.