The vulnerability stems from a missing authorization check (CWE-862) in the Ryviu – Product Reviews for WooCommerce plugin, allowing an attacker to perform review‑related actions without proper permissions. A malicious actor could add, edit or delete reviews, potentially altering customer feedback, defaming sellers, or manipulating store reputation. The impact is confined to the integrity of review data and the trust customers place in the site’s feedback system, but it does not lead to direct code execution or system compromise.

The issue affects the Ryviu – Product Reviews for WooCommerce WordPress plugin, specifically versions up to and including 3.1.26. Users running any of these versions are susceptible if their WordPress installation allows visitors or users with lower roles to submit or modify reviews.

The vulnerability has a CVSS score of 5.3, indicating a moderate risk. The EPSS score is below 1%, suggesting a low probability of widespread exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector is through the standard review submission interface of the plugin, potentially without needing authenticated access. The damage is limited to site content integrity, and no method for further escalation is disclosed by the CVE data.