CVE-2026-8499

June 9, 2026, 1:33 p.m.

5.3
Medium

Description

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.

Product(s) Impacted

Vendor Product Versions
Helpfulcrowd
  • Product Reviews
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a helpfulcrowd product_reviews / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L13
https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/HelpfulcrowdCustomEndpoints.php#L71
https://plugins.trac.wordpress.org/browser/helpfulcrowd-product-reviews/tags/1.2.9/includes/core.php#L122
https://www.wordfence.com/threat-intel/vulnerabilities/id/26f34aa0-8584-4156-b084-d34a0ab0a997?source=cve

Tags

[email protected]
CWE-843
2026-06-09
CVE-2026-8499

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 9, 2026, 5:16 a.m.
Last Modified: June 9, 2026, 1:33 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.