How is CVE-2026-40781 exploited?

Network reachability (required): The vulnerability is exposed over the network; an attacker must be able to reach the WordPress instance running the ReviewX plugin via HTTP/HTTPS. Authentication (not-required): No credentials of any kind are needed; the attacker can exploit this as a completely anonymous, unauthenticated request. Victim interaction (not-required): No user action or social engineering is required; the attacker sends requests directly to the target service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-40781?

The attacker bypasses authentication controls and can perform actions or access endpoints that are intended to be restricted to logged-in users. Integrity of stored data is at high risk; the attacker can create, modify, or delete reviews and plugin-managed records without authorization. Confidentiality and availability are not directly impacted according to the CVSS vector, but unauthorized write access can be used to insert malicious content into published review data.

Back to search

HIGHCVE-2026-40781Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40781: WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability

Q: What is CVE-2026-40781?

An authentication bypass vulnerability affects the ReviewX WordPress plugin at version 2.3.6 and earlier. The flaw is reachable over the network without any credentials, meaning an unauthenticated remote attacker can exploit it directly. Successful exploitation allows the attacker to perform high-impact write operations, tampering with data or functionality protected by authentication. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as an upstream fix is available.

Q: Is CVE-2026-40781 patched?

Because no upstream fix has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the meantime, customers with auto-remediation enabled can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of the affected workload, to reduce exposure while the patch is pending.

Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects the ReviewX WordPress plugin at version 2.3.6 and earlier. The flaw is reachable over the network without any credentials, meaning an unauthenticated remote attacker can exploit it directly. Successful exploitation allows the attacker to perform high-impact write operations, tampering with data or functionality protected by authentication. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as an upstream fix is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the ReviewX plugin. Any image containing ReviewX at or below version 2.3.6 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH using the published v3.1 vector and applies per-environment compliance policy weighting to surface it to the appropriate team inbox within each customer organization. Teams can filter and prioritize this finding alongside other active issues in their environment.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the meantime, customers with auto-remediation enabled can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of the affected workload, to reduce exposure while the patch is pending.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is exposed over the network; an attacker must be able to reach the WordPress instance running the ReviewX plugin via HTTP/HTTPS.
AuthenticationNot required
No credentials of any kind are needed; the attacker can exploit this as a completely anonymous, unauthenticated request.
Victim interactionNot required
No user action or social engineering is required; the attacker sends requests directly to the target service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

The attacker bypasses authentication controls and can perform actions or access endpoints that are intended to be restricted to logged-in users.
Integrity of stored data is at high risk; the attacker can create, modify, or delete reviews and plugin-managed records without authorization.
Confidentiality and availability are not directly impacted according to the CVSS vector, but unauthorized write access can be used to insert malicious content into published review data.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active and matches any image containing ReviewX at or below 2.3.6. Because no upstream fix exists yet, a patched-image rebuild cannot be generated, but HarborGuard monitors the Patchstack advisory on every ingest cycle and will initiate a rebuild automatically once a fix version is published. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow as soon as the upstream patch is available. While the fix is pending, recommended compensating controls include isolating the WordPress workload behind a network policy that restricts public ingress to known safe paths, applying a web application firewall rule to block anomalous unauthenticated requests to ReviewX endpoints, and flagging the affected images in your compliance policy to prevent promotion to production until a patched version is confirmed.

See how HarborGuard automates this

Affected packages

ReviewX / ReviewX
≤ 2.3.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified