The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.
The Helpfulcrowd Product Reviews WordPress plugin versions up to 1.2.9 contain an authorization bypass vulnerability due to loose PHP type comparison in token validation. Unauthenticated attackers can exploit this to modify plugin settings and potentially compromise website functionality.
تحتوي إضافة Helpfulcrowd Product Reviews على ثغرة تجاوز تفويض في دالة التحقق من الرموز التي تستخدم مقارنة غير صارمة (!=) بدلاً من المقارنة الصارمة (!==). يمكن للمهاجمين غير المصرح لهم استغلال هذه الثغرة بإرسال قيمة منطقية JSON كرمز للتحايل على التحقق وتعديل إعدادات الإضافة.
The Helpfulcrowd Product Reviews WordPress plugin versions up to 1.2.9 contain an authorization bypass vulnerability due to loose PHP type comparison in token validation. Unauthenticated attackers can exploit this to modify plugin settings and potentially compromise website functionality.
Update the Helpfulcrowd Product Reviews plugin to version 1.3.0 or later immediately. Implement strict comparison operators (!==) in token validation functions. Review and restrict REST API endpoint permissions to authenticated users only. Monitor WordPress plugin updates regularly and apply security patches promptly.
قم بتحديث إضافة Helpfulcrowd Product Reviews إلى الإصدار 1.3.0 أو أحدث فوراً. استخدم عوامل المقارنة الصارمة (!==) في وظائف التحقق من الرموز. راجع وقيد أذونات نقاط نهاية REST API للمستخدمين المصرح لهم فقط. راقب تحديثات إضافات WordPress بانتظام وطبق التصحيحات الأمنية بسرعة.