CVE-2026-12684 Overview
CVE-2026-12684 affects the Customer Reviews for WooCommerce WordPress plugin in versions before 5.113.0. The plugin exposes an AJAX media upload action that performs no authentication, capability, or nonce checks when the review media attachment feature is enabled. Unauthenticated remote attackers can upload image and video files to the WordPress Media Library and create attachment posts. Exploitation leads to media library pollution and disk space exhaustion on the target site. The vulnerability falls under [CWE-862] Missing Authorization and represents a Broken Access Control weakness in an AJAX endpoint.
Critical Impact
Unauthenticated attackers can pollute the Media Library and exhaust disk space on affected WooCommerce sites.
Affected Products
- Customer Reviews for WooCommerce WordPress plugin versions before 5.113.0
- WordPress sites running the plugin with the review media attachment feature enabled
- WooCommerce storefronts that expose the plugin's AJAX endpoints to unauthenticated visitors
Discovery Timeline
- 2026-07-16 - CVE-2026-12684 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-12684
Vulnerability Analysis
The Customer Reviews for WooCommerce plugin registers an AJAX action to support uploading media attached to customer reviews. When the review media attachment feature is enabled, this handler executes without validating the requester's identity or intent. The handler skips is_user_logged_in() checks, WordPress capability checks such as current_user_can(), and nonce verification via check_ajax_referer(). Any unauthenticated client can invoke the endpoint through wp-admin/admin-ajax.php and submit files. The plugin does enforce a MIME allowlist restricted to image and video types, which limits direct code execution paths. However, the endpoint still creates attachment posts and writes files into the wp-content/uploads directory. Repeated invocations enable an attacker to fill the Media Library with arbitrary content and exhaust available disk space, degrading site availability.
Root Cause
The root cause is missing authorization on a privileged AJAX action. The developer registered the upload handler on the wp_ajax_nopriv_ hook without adding the authentication, capability, and nonce checks required for state-changing operations. This is a common WordPress plugin anti-pattern where a feature intended for logged-in reviewers is exposed to anonymous users.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted multipart/form-data POST request to the plugin's AJAX endpoint with an image or video payload. The endpoint accepts the upload, stores the file under wp-content/uploads, and creates a corresponding attachment post in the database. Scripted repetition of this request produces unbounded storage growth and Media Library pollution. Technical details are documented in the WPScan Vulnerability Report.
Detection Methods for CVE-2026-12684
Indicators of Compromise
- High volumes of unauthenticated POST requests to /wp-admin/admin-ajax.php referencing the plugin's media upload action name
- Rapid growth of files under wp-content/uploads/ with no corresponding user or order activity
- Large numbers of new attachment post entries in wp_posts authored by user ID 0
- Disk space utilization alerts on the web server or hosting volume backing the WordPress install
Detection Strategies
- Review web server access logs for repeated admin-ajax.php requests carrying the plugin's action parameter from a single source IP or user agent
- Query the WordPress database for attachment posts created without an authenticated author while the plugin was installed
- Compare current Media Library file counts and directory sizes against historical baselines to identify sudden increases
Monitoring Recommendations
- Enable web application firewall logging for admin-ajax.php and alert on anomalous request rates from unauthenticated sources
- Monitor filesystem usage on wp-content/uploads and trigger alerts on rapid growth
- Track WordPress database growth in the wp_posts and wp_postmeta tables tied to attachment creation
How to Mitigate CVE-2026-12684
Immediate Actions Required
- Update the Customer Reviews for WooCommerce plugin to version 5.113.0 or later on all affected WordPress installations
- Audit the Media Library and wp-content/uploads directory for unexpected image and video files, then remove attacker-uploaded content
- Rate-limit or block unauthenticated requests to admin-ajax.php at the web application firewall or reverse proxy layer
Patch Information
The vendor addressed the vulnerability in Customer Reviews for WooCommerce version 5.113.0 by adding authentication, capability, and nonce checks to the affected AJAX handler. Site administrators should apply the update through the WordPress plugin manager or WP-CLI (wp plugin update customer-reviews-woocommerce). Refer to the WPScan Vulnerability Report for the full advisory.
Workarounds
- Disable the review media attachment feature in the plugin settings until the patched version is deployed
- Deactivate the Customer Reviews for WooCommerce plugin if the media upload feature cannot be turned off independently
- Add a WAF rule that blocks unauthenticated POST requests to admin-ajax.php targeting the plugin's specific action parameter
- Configure filesystem quotas on wp-content/uploads to cap the impact of storage exhaustion attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

