The “Customer Reviews for WooCommerce” plugin is a staple for stores looking to build trust through social proof. It does a lot of heavy lifting – sending review reminders, aggregating feedback, and adding those “Verified Owner” badges that shoppers look for. But a flaw in how it handles external review submissions shows that “verified” doesn’t always mean “authentic.”
The problem
While digging into a client’s store, we noticed a surge in “Verified” reviews for products that hadn’t actually been purchased by the people leaving the feedback. The reviews were coming in via the plugin’s custom REST API endpoint.
It turns out that version 5.103.0 and below has a critical weakness in how it authenticates these remote submissions. The system is designed to allow customers to leave reviews via an external link (like an email reminder) without logging into the WordPress site. To do this, it uses a unique security key for each order.
What it does
The CVE-2026-4664 vulnerability allows an unauthenticated attacker to bypass this security check and post reviews for any product on the site.
- Authentication Bypass: The plugin fails to properly validate the security key when an order hasn’t had one explicitly assigned yet, or when certain test modes are active.
- Arbitrary Submission: Attackers can submit reviews for any valid order ID. Since order IDs are usually sequential, they are easy to guess or brute-force.
- Instant “Verified” Status: Because the reviews are linked to a real order ID, they automatically receive the “Verified Review” badge, bypassing the usual scepticism visitors might have for anonymous feedback.
How it works
The vulnerability is tucked away in the CR_Endpoint class. When a POST request hits the /wp-json/ivole/v1/review endpoint, the plugin checks a key parameter against a value stored in the order’s metadata ivole_secret_key.
The logic falls apart when that metadata is missing or empty. In many WordPress environments, get_meta will return an empty string for non-existent keys. If an attacker also sends an empty string as the key, the comparison "" === "" succeeds, and the plugin just processes the review as legitimate.
There’s also a “test mode” fallback that checks a global ivole_test_secret_key option. If this hasn’t been set by the site owner, it can lead to a similar bypass scenario.
Security and privacy
Trust is the currency of e-commerce. If a competitor can flood your store with 1-star “Verified” reviews, or if a spammer can use your products to promote malicious sites with the weight of your brand’s endorsement, that trust evaporates.
This isn’t just about bad reviews – it’s about the integrity of the data your business relies on to make decisions and build its reputation.
In short – attackers can fill your site with spammy content, disguised as reviews. This will adversely affect your website’s standing with Google.
Technical notes
The fix in version 5.103.1 adds explicit checks for empty keys and ensures that the order-specific secret must be a non-empty, cryptographically secure string before a review is accepted.
They’ve also tightened the global test mode logic to prevent accidental exposures on production sites.