Platform
wordpress
Component
customer-reviews-woocommerce
Fixed in
5.103.1
5.104.0
CVE-2026-4664 describes an authentication bypass vulnerability affecting the Customer Reviews for WooCommerce plugin for WordPress. This flaw allows attackers to bypass review creation permissions checks, potentially enabling unauthorized review submissions. The vulnerability impacts versions up to 5.103.0, and a patch is available in version 5.104.0.
An attacker can exploit this vulnerability to submit fake reviews without proper authentication. This can damage the reputation of the website and mislead customers. The impact is amplified if the plugin is used on e-commerce sites with a high volume of reviews, as a malicious actor could flood the site with false or biased content. While the vulnerability doesn't directly lead to data exfiltration or system compromise, the manipulation of customer reviews can have significant business consequences and erode trust. The lack of authentication also opens the door to potential spam and abuse.
This vulnerability was publicly disclosed on 2026-04-10. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's ease of exploitation, combined with the plugin's popularity, suggests it could become a target for automated attacks.
Exploit Status
EPSS
0.18% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Customer Reviews for WooCommerce plugin to version 5.104.0 or later. If upgrading is not immediately feasible, a temporary workaround involves restricting access to the review creation endpoint. This can be achieved by implementing a custom access control rule within the WordPress environment, requiring stricter authentication than the plugin currently enforces. Consider using a WordPress security plugin with WAF capabilities to block suspicious requests targeting the review creation functionality. After upgrading, verify the fix by attempting to create a review without proper authentication; it should be rejected.
Update to version 5.104.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4664 is a vulnerability in the Customer Reviews for WooCommerce plugin that allows attackers to bypass authentication checks and submit reviews without proper authorization.
You are affected if you are using the Customer Reviews for WooCommerce plugin in versions up to 5.103.0. Check your plugin version and upgrade immediately if necessary.
Upgrade the Customer Reviews for WooCommerce plugin to version 5.104.0 or later. As a temporary workaround, restrict access to the review creation endpoint.
As of the current assessment, there are no known active exploits or campaigns targeting CVE-2026-4664, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official Customer Reviews for WooCommerce plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.