Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12684

CVE-2026-12684: WooCommerce Plugin Auth Bypass Vulnerability

CVE-2026-12684 is an authentication bypass flaw in the Customer Reviews for WooCommerce WordPress plugin that allows unauthenticated attackers to upload media files. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-12684 Overview

CVE-2026-12684 affects the Customer Reviews for WooCommerce WordPress plugin in versions before 5.113.0. The plugin exposes an AJAX media upload action that performs no authentication, capability, or nonce checks when the review media attachment feature is enabled. Unauthenticated remote attackers can upload image and video files to the WordPress Media Library and create attachment posts. Exploitation leads to media library pollution and disk space exhaustion on the target site. The vulnerability falls under [CWE-862] Missing Authorization and represents a Broken Access Control weakness in an AJAX endpoint.

Critical Impact

Unauthenticated attackers can pollute the Media Library and exhaust disk space on affected WooCommerce sites.

Affected Products

  • Customer Reviews for WooCommerce WordPress plugin versions before 5.113.0
  • WordPress sites running the plugin with the review media attachment feature enabled
  • WooCommerce storefronts that expose the plugin's AJAX endpoints to unauthenticated visitors

Discovery Timeline

  • 2026-07-16 - CVE-2026-12684 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-12684

Vulnerability Analysis

The Customer Reviews for WooCommerce plugin registers an AJAX action to support uploading media attached to customer reviews. When the review media attachment feature is enabled, this handler executes without validating the requester's identity or intent. The handler skips is_user_logged_in() checks, WordPress capability checks such as current_user_can(), and nonce verification via check_ajax_referer(). Any unauthenticated client can invoke the endpoint through wp-admin/admin-ajax.php and submit files. The plugin does enforce a MIME allowlist restricted to image and video types, which limits direct code execution paths. However, the endpoint still creates attachment posts and writes files into the wp-content/uploads directory. Repeated invocations enable an attacker to fill the Media Library with arbitrary content and exhaust available disk space, degrading site availability.

Root Cause

The root cause is missing authorization on a privileged AJAX action. The developer registered the upload handler on the wp_ajax_nopriv_ hook without adding the authentication, capability, and nonce checks required for state-changing operations. This is a common WordPress plugin anti-pattern where a feature intended for logged-in reviewers is exposed to anonymous users.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted multipart/form-data POST request to the plugin's AJAX endpoint with an image or video payload. The endpoint accepts the upload, stores the file under wp-content/uploads, and creates a corresponding attachment post in the database. Scripted repetition of this request produces unbounded storage growth and Media Library pollution. Technical details are documented in the WPScan Vulnerability Report.

Detection Methods for CVE-2026-12684

Indicators of Compromise

  • High volumes of unauthenticated POST requests to /wp-admin/admin-ajax.php referencing the plugin's media upload action name
  • Rapid growth of files under wp-content/uploads/ with no corresponding user or order activity
  • Large numbers of new attachment post entries in wp_posts authored by user ID 0
  • Disk space utilization alerts on the web server or hosting volume backing the WordPress install

Detection Strategies

  • Review web server access logs for repeated admin-ajax.php requests carrying the plugin's action parameter from a single source IP or user agent
  • Query the WordPress database for attachment posts created without an authenticated author while the plugin was installed
  • Compare current Media Library file counts and directory sizes against historical baselines to identify sudden increases

Monitoring Recommendations

  • Enable web application firewall logging for admin-ajax.php and alert on anomalous request rates from unauthenticated sources
  • Monitor filesystem usage on wp-content/uploads and trigger alerts on rapid growth
  • Track WordPress database growth in the wp_posts and wp_postmeta tables tied to attachment creation

How to Mitigate CVE-2026-12684

Immediate Actions Required

  • Update the Customer Reviews for WooCommerce plugin to version 5.113.0 or later on all affected WordPress installations
  • Audit the Media Library and wp-content/uploads directory for unexpected image and video files, then remove attacker-uploaded content
  • Rate-limit or block unauthenticated requests to admin-ajax.php at the web application firewall or reverse proxy layer

Patch Information

The vendor addressed the vulnerability in Customer Reviews for WooCommerce version 5.113.0 by adding authentication, capability, and nonce checks to the affected AJAX handler. Site administrators should apply the update through the WordPress plugin manager or WP-CLI (wp plugin update customer-reviews-woocommerce). Refer to the WPScan Vulnerability Report for the full advisory.

Workarounds

  • Disable the review media attachment feature in the plugin settings until the patched version is deployed
  • Deactivate the Customer Reviews for WooCommerce plugin if the media upload feature cannot be turned off independently
  • Add a WAF rule that blocks unauthenticated POST requests to admin-ajax.php targeting the plugin's specific action parameter
  • Configure filesystem quotas on wp-content/uploads to cap the impact of storage exhaustion attempts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.