Description
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to an authorization bypass due to PHP type juggling (CWE‑843). The plugin’s token validation uses a loose inequality comparison operator, and the REST route that updates settings registers a permission callback that always returns true, allowing unauthenticated users to reach the endpoint. By submitting a JSON boolean true as the token, the comparison is bypassed, enabling the attacker to call the settings update function and write arbitrary key–value pairs into the plugin’s options database via update_option() without sanitization or filtering. This results in full, unauthenticated configuration compromise, potentially altering plugin behavior and affecting site content or operations.

Affected Systems

WordPress sites that have installed Helpfulcrowd Product Reviews plugin version 1.2.9 or earlier and have not applied a newer release that resolves the token validation and permission callback flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, primarily because the flaw allows unauthenticated access and lacks input validation. While an EPSS score is not available, the vulnerability is publicly documented and can be exploited remotely over the network via the exposed REST API. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can trivially send a crafted request to /wp-json/helpfulcrowd/v1/update-settings with a JSON true token to modify the plugin’s configuration.

Generated by OpenCVE AI on June 9, 2026 at 06:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Helpfulcrowd Product Reviews plugin to a version newer than 1.2.9 that corrects the token validation and removes the insecure permission callback.
  • If an upgrade is not immediately possible, remove or block the /wp-json/helpfulcrowd/v1/update-settings REST endpoint using a firewall rule or security plugin to prevent unauthenticated access.
  • After applying the patch or blocking the endpoint, review and restore any plugin settings that may have been altered by an attacker to ensure configuration integrity.

Generated by OpenCVE AI on June 9, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Helpfulcrowd
Helpfulcrowd helpfulcrowd Product Reviews
Wordpress
Wordpress wordpress
Vendors & Products Helpfulcrowd
Helpfulcrowd helpfulcrowd Product Reviews
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
Title Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Helpfulcrowd Helpfulcrowd Product Reviews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T16:01:59.494Z

Reserved: 2026-05-13T19:49:04.220Z

Link: CVE-2026-8499

cve-icon Vulnrichment

Updated: 2026-06-09T16:01:53.430Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:39.373

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:14Z

Weaknesses