CVE-2024-34763
📋 TL;DR
This CVE describes a missing authorization vulnerability in the Builder for WooCommerce reviews shortcodes – ReviewShort WordPress plugin. It allows unauthorized users to access functionality that should require proper authentication. WordPress sites using this plugin version 1.01.5 or earlier are affected.
💻 Affected Systems
- Builder for WooCommerce reviews shortcodes – ReviewShort WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could manipulate product reviews, potentially altering ratings, posting fake reviews, or deleting legitimate reviews, damaging business reputation and SEO.
Likely Case
Unauthorized users could view or submit reviews without proper permissions, potentially posting spam or inappropriate content.
If Mitigated
With proper authorization controls, only authenticated users with appropriate roles could access review management functions.
🎯 Exploit Status
Missing authorization vulnerabilities typically require minimal technical skill to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.01.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Builder for WooCommerce reviews shortcodes – ReviewShort'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.01.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate woo-product-reviews-shortcode
Restrict Access via .htaccess
linuxAdd IP restrictions to plugin directory
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Disable the plugin entirely and use alternative review management solutions
- Implement web application firewall rules to block unauthorized access to review endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Builder for WooCommerce reviews shortcodes – ReviewShort' version 1.01.5 or earlierCheck Version:
wp plugin get woo-product-reviews-shortcode --field=versionVerify Fix Applied:
Verify plugin version is 1.01.6 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /wp-content/plugins/woo-product-reviews-shortcode/
- Review submissions from unauthenticated users
- Suspicious user agents accessing review endpoints
Network Indicators:
- HTTP requests to plugin-specific endpoints without authentication headers
- Unusual traffic patterns to review submission URLs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-content/plugins/woo-product-reviews-shortcode/" OR plugin="woo-product-reviews-shortcode") AND http_method=POST AND user="-"🔗 References
- https://patchstack.com/database/vulnerability/woo-product-reviews-shortcode/wordpress-builder-for-woocommerce-reviews-shortcodes-reviewshort-plugin-1-01-5-broken-access-control-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/woo-product-reviews-shortcode/wordpress-builder-for-woocommerce-reviews-shortcodes-reviewshort-plugin-1-01-5-broken-access-control-vulnerability?_s_id=cve
