CVE-2026-12684 in Customer Reviews for WooCommerce Plugin
Summary
by MITRE • 07/16/2026
The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in the Customer Reviews for WooCommerce WordPress plugin affects versions prior to 5.113.0 and represents a critical authorization flaw that undermines the security of WordPress media handling mechanisms. This issue specifically targets the plugin's review media attachment functionality, which allows users to upload supporting media files when submitting product reviews. The flaw manifests as the absence of proper authentication checks, capability verification, and nonce validation within one of the plugin's AJAX media upload endpoints. When the review media feature is enabled, any unauthenticated visitor can access this endpoint and perform media uploads without proper authorization, creating a significant vector for abuse that directly impacts system integrity and resource management.
The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the plugin's AJAX handler. The affected endpoint processes media uploads without verifying whether the requesting user possesses appropriate permissions or has been authenticated through legitimate WordPress authentication flows. This oversight allows attackers to bypass standard WordPress security controls that typically prevent unauthorized media uploads by enforcing capability checks such as the ability to upload files or manage media library content. The vulnerability specifically affects the plugin's review media attachment feature, which is designed to support image and video uploads but lacks proper sanitization of the upload process itself.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass resource exhaustion and system degradation. Unauthenticated users can systematically pollute the WordPress media library by uploading various file types that are permitted through the plugin's allowlist, which typically includes common image formats such as jpg, png, gif, and video formats like mp4 and mov. This media library pollution creates multiple security concerns including potential denial of service conditions due to disk space exhaustion, increased backup times, and degraded performance of media management operations. The accumulation of unauthorized attachments can also complicate content management and make it more difficult for legitimate administrators to maintain organized media libraries.
The vulnerability aligns with several cybersecurity frameworks and threat modeling approaches, particularly those addressing weak access control mechanisms. From a CWE perspective, this represents a weakness categorized under CWE-285: Improper Authorization, specifically manifesting as the absence of proper authentication checks in web applications. The issue also maps to ATT&CK tactics such as T1078: Valid Accounts and T1499: Endpoint Denial of Service, as it enables unauthorized access to system resources and can contribute to resource exhaustion attacks. Organizations implementing this plugin without updating to version 5.113.0 face increased risk of both direct exploitation for media library manipulation and indirect consequences such as storage consumption that could impact overall system performance. The vulnerability demonstrates how seemingly minor implementation oversights in WordPress plugins can create significant security exposure points that affect entire websites and their associated infrastructure.
The recommended mitigation strategy involves immediate updating to version 5.113.0 or later, which incorporates proper authentication checks, capability verification, and nonce validation for the affected AJAX endpoint. Additionally, administrators should implement monitoring of media library uploads to detect unauthorized activity and consider implementing additional access controls such as restricting upload capabilities to authenticated users only. Regular security auditing of WordPress plugins and themes remains crucial for identifying similar authorization gaps in other components of the web application stack. Organizations should also review their backup strategies to ensure they can recover from potential media library pollution events while maintaining appropriate disk space monitoring to detect resource exhaustion conditions before they become critical system failures.