The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the create_review_permissions_check() function comparing the user-supplied key parameter against the order's ivole_secret_key meta value using strict equality (===), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the ivole_secret_key meta is not set, causing get_meta() to return an empty string. An attacker can supply key: "" to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint POST /ivole/v1/review. Reviews are auto-approved by default since ivole_enable_moderation defaults to "no".