CVE-2024-8277

CRITICAL EXPLOITED

WooCommerce Photo Reviews Premium <1.3.13.2 - Auth Bypass

Title source: llm

Exploitation Summary

CVE-2024-8277 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including PolatBey.

AI-analyzed exploit summary This repository is a writeup for CVE-2024-8277, an authentication bypass vulnerability in WooCommerce Photo Reviews Premium. It describes the exploit but does not provide functional code, instead directing users to contact the author for purchase.

Description

The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.

Exploits (1)

nomisec WRITEUP

by PolatBey · poc

https://github.com/PolatBey/CVE-2024-8277

View Code ZIP pw:eip

This repository is a writeup for CVE-2024-8277, an authentication bypass vulnerability in WooCommerce Photo Reviews Premium. It describes the exploit but does not provide functional code, instead directing users to contact the author for purchase.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: WooCommerce Photo Reviews Premium ≤ 1.3.13.2

No auth needed

Prerequisites: Target must have WooCommerce Photo Reviews Premium installed and vulnerable · Admin notice dismissed in the last 30 days

MITRE ATT&CK

T1550 - Use Alternate Authentication Material

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://codecanyon.net/item/woocommerce-photo-reviews/21245349

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=cve

Scores

CVSS v3 9.8

EPSS 0.0160

EPSS Percentile 72.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-09-11

CWE

CWE-306 CWE-288

Status published

Products (2)

villatheme/WooCommerce Photo Reviews Premium < 1.3.13.2

villatheme/woocommerce_photo_reviews < 1.3.14

Published Sep 11, 2024

Tracked Since Feb 18, 2026