CVE-2026-24562

Vulnerability

Overview

The Ryviu – Product Reviews for WooCommerce plugin for WordPress, versions up to and including 3.1.26, contains a missing authorization vulnerability. This broken access control issue stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify permissions or nonce tokens before allowing certain actions, enabling unprivileged users to execute higher-privileged operations [1].

Exploitation

Details

Attackers can exploit this vulnerability without requiring authentication, as the missing authorization check allows any user to trigger privileged functions. The attack surface is broad because the plugin is widely used for WooCommerce product reviews, and the vulnerability can be leveraged access control flaw can be targeted in mass-exploit campaigns against thousands of websites simultaneously, regardless of site size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform actions normally restricted to higher-privileged users, such as modifying plugin settings, accessing sensitive data, or altering review content. This could lead to unauthorized data exposure, site defacement, or disruption of e-commerce functionality.

Mitigation

The vendor has not released a patched version as of the publication date. Users are strongly advised to update the plugin immediately if a fix becomes available. If unable to update, contacting the hosting provider or a web developer for assistance is recommended [1]. The vulnerability has a CVSS v3 score of 5.3 (Medium), indicating moderate severity.