Customer Reviews for WooCommerce < 5.38.2 – Missing Authorization via manual review reminders | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the manual_review_reminder, manual_wa_review_reminder, and manual_review_reminder_conf functions in all versions up to 5.38.2 (exclusive). This makes it possible for authenticated attackers, with subscriber access and above, to configure and send manual review reminders.

Affects Plugins

customer-reviews-woocommerce

Fixed in 5.38.2

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c6e2710f-f51a-487d-a4bb-a19f614ff254

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

1ca965a8-e8c1-4aa5-9af8-7ab98d73caab

Timeline

Publicly Published

2023-11-19 (about 2 years ago)

Added

2024-01-20 (about 2 years ago)

Last Updated

2024-01-20 (about 2 years ago)

Other

Published

Title

Published

2025-01-30

Title

ECPay Ecommerce for WooCommerce < 1.1.2502030 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

Published

2026-01-26

Title

Tablesome < 1.2.9 - Missing Authorization

Published

2025-03-13

Title

SoundRise Music < 1.7.1 - Authenticated (Subscriber+) Arbitrary Options Update

Published

2024-12-14

Title

Easy Site Importer <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Settings Change

Published

2022-05-17

Title

Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion