Customer Reviews for WooCommerce Authentication Bypass Vulnerability Allowing Unauthenticated Review Submission

A vulnerability exists in the Customer Reviews for WooCommerce plugin for WordPress, affecting all versions up to and including 5.103.0. The issue arises from the 'create_review_permissions_check()' function, which compares the user-supplied 'key' parameter to the order's 'ivole_secret_key' meta value using strict equality. This comparison fails to ensure that the stored key is non-empty. For orders that have not received a review reminder email, the 'ivole_secret_key' meta is unset, leading 'get_meta()' to return an empty string. Exploiting this, an attacker can send a 'key' parameter with an empty value to bypass the permission check. This vulnerability allows unauthenticated users to submit, modify, and inject product reviews through the REST API endpoint 'POST /ivole/v1/review'. By default, submitted reviews are auto-approved.

Impact

Exploitation of this vulnerability allows for unauthorized submission, modification, and injection of product reviews via the REST API, with all reviews being automatically approved.

Reproduction

To reproduce this vulnerability, send a POST request to the '/ivole/v1/review' endpoint with an empty 'key' parameter. This can be done using a REST client or through custom code that interacts with the WordPress REST API. Ensure that the target order does not have a review reminder email sent, as this will leave the 'ivole_secret_key' meta unset, allowing the empty key to bypass authentication.

Remediation

Users are advised to update the Customer Reviews for WooCommerce plugin to version 5.104.0 or later.