CVE-2026-12684 - CERT CVE
ID CVE-2026-12684
Sažetak The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
Reference
CVSS
Base: 6.5
Impact: 2.5
Exploitability:3.9
Pristup
VektorSloženostAutentikacija
NETWORK LOW NONE
Impact
PovjerljivostCjelovitostDostupnost
NONE LOW LOW
CVSS vektor CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Zadnje važnije ažuriranje 16-07-2026 - 19:16
Objavljeno 16-07-2026 - 07:16