The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowd_validate_token() function using a loose comparison operator (!=) instead of a strict comparison (!==) when validating the token parameter, while the corresponding REST route /wp-json/helpfulcrowd/v1/update-settings is registered with a permission_callback of __return_true, making it reachable by unauthenticated users; submitting a JSON boolean true as the token value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke helpfulcrowd_settings_endpoint() and write arbitrary attacker-controlled key-value pairs directly into the helpfulcrowd_options WordPress database option via update_option() without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration.