CVE-2026-12684
Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
| Vendor | unknown |
| Product | customer reviews for woocommerce |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown customer reviews for woocommerce
Be the first to know when new unknown vulnerabilities affecting unknown customer reviews for woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Customer Reviews for WooCommerce
0 < 5.113.0
References
Credits
Tom C WPScan