๐Ÿ” CVE Alert

CVE-2026-12684

UNKNOWN 0.0

Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.

Vendor unknown
Product customer reviews for woocommerce
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for unknown customer reviews for woocommerce

Be the first to know when new unknown vulnerabilities affecting unknown customer reviews for woocommerce are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Customer Reviews for WooCommerce
0 < 5.113.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/169d3455-dd98-4b0b-b6c1-6c9c28aa9707/

Credits

Tom C WPScan