CVE-2026-4664

Name of the Vulnerable Software and Affected Versions Customer Reviews for WooCommerce plugin for WordPress versions up to and including 5.103.0

Description The Customer Reviews for WooCommerce plugin for WordPress is susceptible to authentication bypass. This occurs because the create review permissions check() function uses strict equality (===) when comparing the user-supplied key parameter to the order's ivole secret key meta value, without verifying that the stored key is non-empty. When no review reminder email has been sent, ivole secret key is not set, resulting in an empty string being returned. An attacker can provide key: "" to match this empty value and bypass the permission check. This allows unauthenticated attackers to submit, modify, and inject product reviews via the REST API endpoint POST /ivole/v1/review. Reviews are auto-approved by default because ivole enable moderation defaults to "no".

Recommendations Versions prior to 5.103.1 should be updated. As a temporary workaround, consider disabling the POST /ivole/v1/review API endpoint until a patch is available.