The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via...
🔗 CVE IDs covered (1)
📋 Description
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowd_validate_token() function using a loose comparison operator (!=) instead of a strict comparison (!==) when validating the token parameter, while the corresponding REST route /wp-json/helpfulcrowd/v1/update-settings is registered with a permission_callback of __return_true, making it reachable by unauthenticated users; submitting a JSON boolean true as the token value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke helpfulcrowd_settings_endpoint() and write arbitrary attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option via update_option() without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-8499
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L13
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L71
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/core.php#L122
- https://www.wordfence.com/threat-intel/vulnerabilities/id/26f34aa0-8584-4156-b084-d34a0ab0a997?source=cve
- https://github.com/advisories/GHSA-q2xw-j7qq-rpp9