CVE-2026-4664 Overview
The Customer Reviews for WooCommerce plugin for WordPress contains an authentication bypass vulnerability affecting all versions up to and including 5.103.0. This flaw exists in the create_review_permissions_check() function, which improperly validates user-supplied authentication keys against order metadata. The vulnerability allows unauthenticated attackers to submit, modify, and inject product reviews on any product through the REST API endpoint POST /ivole/v1/review.
Critical Impact
Unauthenticated attackers can bypass permission checks by supplying an empty key parameter, enabling them to inject fraudulent reviews on any WooCommerce product. Reviews are auto-approved by default since ivole_enable_moderation defaults to "no".
Affected Products
- Customer Reviews for WooCommerce plugin for WordPress versions up to and including 5.103.0
- WordPress installations using the vulnerable plugin versions
- WooCommerce stores with the Customer Reviews plugin installed
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-4664 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-4664
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) allows unauthenticated attackers to circumvent permission checks in the Customer Reviews for WooCommerce plugin. The flaw stems from improper validation logic in the review submission endpoint, where the authentication mechanism fails to account for orders that have not received a review reminder email. When exploited, attackers can manipulate product reviews across an entire WooCommerce store without any authentication, potentially damaging business reputation through fake negative reviews or artificially inflating ratings with fraudulent positive reviews. The attack surface is network-accessible and requires no user interaction or privileges to exploit.
Root Cause
The vulnerability resides in the create_review_permissions_check() function, which performs strict equality comparison (===) between the user-supplied key parameter and the order's ivole_secret_key meta value. The critical flaw is that the function does not verify whether the stored key is non-empty. For orders where no review reminder email has been sent, the ivole_secret_key meta is not set, causing get_meta() to return an empty string. By supplying key: "", an attacker can match this empty value and successfully bypass the permission check.
Attack Vector
The vulnerability is exploitable via the network through the REST API endpoint POST /ivole/v1/review. An attacker can craft a malicious request with an empty key parameter targeting orders that have not received review reminder emails. Since the moderation setting ivole_enable_moderation defaults to "no", injected reviews are automatically approved and displayed on the storefront immediately. This allows attackers to target any product in the store, including products not associated with the referenced order.
The attack requires only network access to the WordPress REST API and knowledge of a valid order ID. No authentication, special privileges, or user interaction is required to exploit this vulnerability.
Detection Methods for CVE-2026-4664
Indicators of Compromise
- Unusual volume of review submissions through the /ivole/v1/review REST API endpoint
- Reviews submitted with empty or missing key parameters in API requests
- Reviews appearing on products for orders that never received review reminder emails
- Suspicious review patterns such as bulk submissions from similar IP ranges or with templated content
Detection Strategies
- Monitor WordPress REST API logs for requests to /ivole/v1/review with empty key parameters
- Implement Web Application Firewall (WAF) rules to detect and block suspicious review submission patterns
- Review audit logs for review creation events that lack corresponding review reminder email sends
- Configure alerts for abnormal spikes in product review activity
Monitoring Recommendations
- Enable detailed logging for WooCommerce REST API endpoints
- Implement rate limiting on the review submission endpoint to slow down bulk exploitation attempts
- Regularly audit product reviews for suspicious or fraudulent content
- Monitor for reviews submitted against orders without associated ivole_secret_key metadata
How to Mitigate CVE-2026-4664
Immediate Actions Required
- Update the Customer Reviews for WooCommerce plugin to version 5.104.0 or later immediately
- Review existing product reviews for potentially fraudulent entries submitted through the vulnerable endpoint
- Enable review moderation by setting ivole_enable_moderation to "yes" until the patch is applied
- Consider temporarily disabling the plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in Customer Reviews for WooCommerce version 5.104.0. The fix adds proper validation to ensure the stored secret key is non-empty before performing the equality comparison. Site administrators should update to the patched version immediately. The WordPress WooCommerce Change Set details the specific code changes implemented. Additional technical analysis is available from the Wordfence Vulnerability Analysis.
Workarounds
- Enable review moderation by changing ivole_enable_moderation from "no" to "yes" in the plugin settings
- Implement WAF rules to block REST API requests to /ivole/v1/review with empty key parameters
- Restrict access to the WordPress REST API from untrusted networks if feasible
- Manually send review reminder emails to existing orders to populate the ivole_secret_key meta value
# WordPress CLI command to enable review moderation as a temporary mitigation
wp option update ivole_enable_moderation "yes"
# Check current moderation setting
wp option get ivole_enable_moderation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
