Back to overview

CVE-2026-12684

Description
The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.

Metadata

CVE ID
CVE-2026-12684
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-19 07:49 UTC
Published
2026-07-16 06:00 UTC
Last updated
2026-07-16 06:00 UTC
Vendor / Product
Unknown / Customer Reviews for WooCommerce
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown Customer Reviews for WooCommerce 0 < 5.113.0
Weakness (CWE)
CWESourceDescription
cna CWE-434 Unrestricted Upload of File with Dangerous Type
Back to overview