CVE-2026-4664
Description
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the create_review_permissions_check() function comparing the user-supplied key parameter against the order's ivole_secret_key meta value using strict equality (===), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the ivole_secret_key meta is not set, causing get_meta() to return an empty string. An attacker can supply key: "" to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint POST /ivole/v1/review. Reviews are auto-approved by default since ivole_enable_moderation defaults to "no".
Affected products
2- Range: <=5.103.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.phpnvd
- plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.phpnvd
- plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.phpnvd
- plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/customer-reviews-woocommerce/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59bnvd
News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026