CVE-2026-8499
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowd_validate_token() function using a loose comparison operator (!=) instead of a strict comparison (!==) when validating the token parameter, while the corresponding REST route /wp-json/helpfulcrowd/v1/update-settings is registered with a permission_callback of __return_true, making it reachable by unauthenticated users; submitting a JSON boolean true as the token value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke helpfulcrowd_settings_endpoint() and write arbitrary attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option via update_option() without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| helpfulcrowd | Helpfulcrowd Product Reviews | 0 <= 1.2.9 | affected |
Weaknesses
- CWE-843: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/26f34aa0-8584-4156-b084-d34a0ab0a997?source=cve
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L13
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L71
- https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/core.php#L122
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.