Description
Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken authentication flaw in the ReviewX plugin versions 2.3.6 and earlier. Classified as CWE-288, it allows an attacker to bypass the plugin’s login process and access protected functions without valid credentials. The CVE description indicates that authentication can be broken, and it is inferred that this could enable unauthorized use of the plugin’s administrative features.

Affected Systems

WordPress installations that have the ReviewX plugin at or below version 2.3.6 are affected. The CNA lists the product as ReviewX:ReviewX, and the version information confirms that all releases up to 2.3.6 are vulnerable. Sites using those plugin releases could be compromised if an attacker can reach the plugin’s login endpoint.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity, while the EPSS score of < 1 % indicates a low likelihood of exploitation at the time of analysis. The vulnerability is not included in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote and does not require authentication; an attacker could send crafted HTTP requests to the plugin’s resources to exploit the broken login flow, potentially gaining unauthorized access to plugin functionality.

Generated by OpenCVE AI on June 16, 2026 at 21:50 UTC.

Remediation

Vendor Solution

Update the WordPress ReviewX Plugin to the latest available version (at least 2.3.7).

OpenCVE Recommended Actions

  • Apply the latest ReviewX plugin update (at least version 2.3.7).
  • If the ReviewX plugin is not required, disable or remove it until the patch is applied.
  • Monitor WordPress logs for suspicious authentication activity associated with ReviewX.

Generated by OpenCVE AI on June 16, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Reviewx
Reviewx reviewx
Wordpress
Wordpress wordpress
Vendors & Products Reviewx
Reviewx reviewx
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.
Title WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Reviewx Reviewx
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:29:50.492Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40781

cve-icon Vulnrichment

Updated: 2026-06-16T01:29:45.449Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:50.583

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:13Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel