WP-Safety
CVE-2026-40781

ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema <= 2.3.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.3.7
Patched in
9d
Time to patch

Description

The ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.6
PublishedApril 22, 2026
Last updatedApril 30, 2026
Affected pluginreviewx

What Changed in the Fix

Changes introduced in v2.3.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.3.6
Browse source Download .zip
Patched v2.3.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-40781 ## 1. Vulnerability Summary The **ReviewX** plugin (versions <= 2.3.6) contains a missing authorization vulnerability in its **Migration Rollback** module. This module was designed to allow users to revert from the new "SaaS-based" version of the plugin…

Show full research plan

Exploitation Research Plan - CVE-2026-40781

1. Vulnerability Summary

The ReviewX plugin (versions <= 2.3.6) contains a missing authorization vulnerability in its Migration Rollback module. This module was designed to allow users to revert from the new "SaaS-based" version of the plugin back to the "Legacy" version. The handlers for these operations are registered as AJAX actions but lack any capability checks (current_user_can) or nonce verification. This allows unauthenticated attackers to perform unauthorized actions such as activating/deactivating the Pro version of the plugin or retrieving sensitive configuration data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Authentication: None required (Unauthenticated).
  • Vulnerable Actions (Inferred):
    • rx_activate_old_pro_plugin (Triggers SharedMethods::reviewx_activate_old_pro_plugin)
    • rx_deactivate_old_pro_plugin (Triggers SharedMethods::reviewx_deactivate_old_pro_plugin)
    • rx_retrieve_old_plugin_options_data (Triggers MigrationPrompt::reviewx_retrieve_old_plugin_options_data)
  • Preconditions: The plugin must be active. For the "activate" action to have a visible effect, the ReviewX Pro plugin files must exist
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3fc921f-14f2-429a-894e-953522e59747?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database