Skip to main content

ReviewX EUVDEUVD-2026-36987

| CVE-2026-40781 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-c83w-fg37-x4j7
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Plugin endpoint reachable over the network without authentication or user interaction; broken auth lets attacker change plugin-managed state (I:H) without confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:08 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.

AnalysisAI

Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Technical ContextAI

ReviewX is a WordPress plugin that adds multi-criteria customer review and rating functionality (commonly used on WooCommerce stores). The CPE cpe:2.3:a:reviewx:reviewx:*:*:*:*:*:*:*:* and the Patchstack advisory confirm this is the plugin distribution, not a standalone application. CWE-288 describes a Broken Authentication condition where a code path exposes privileged functionality without performing the normal authentication check - typically an AJAX/REST endpoint, nonce-only check, or a capability check that is missing or trivially bypassed. With CVSS C:N/I:H/A:N, the bypass appears to permit attackers to invoke write/state-changing actions (e.g., creating, modifying, or approving reviews or related plugin data) without proving identity, but does not directly leak protected data nor crash the host.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data; defenders should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/reviewx/vulnerability/wordpress-reviewx-plugin-2-3-6-broken-authentication-vulnerability for the latest fixed version and upgrade ReviewX past 2.3.6 as soon as a release is available. Until a fix is installed, compensating controls include deactivating the ReviewX plugin on sites that do not currently rely on it (loses review functionality but eliminates exposure), restricting access to the plugin's REST and admin-ajax endpoints via WAF rules or .htaccess (may break legitimate frontend review submissions if rules are too broad), and enabling Patchstack or an equivalent virtual-patching WAF that ships a signature for this CVE. Monitor wp-content/plugins/reviewx and the wp_posts/wp_comments tables for unexpected new entries that could indicate exploitation attempts.

Share

EUVD-2026-36987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy