CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
What the vulnerability does
The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store.
Explanation of Vulnerability in Simple Terms
Reviewify for WooCommerce versions 1.0.7 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify review data and site content. An attacker can change or delete reviews without logging in or needing special permissions. Site owners should update immediately to prevent unauthorized tampering with customer reviews and ratings.
What an attacker can do
Modify or delete product reviews and ratings without authentication.
Potential impact on your site
Customer reviews can be altered or removed by anyone, damaging trust and review integrity.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
