The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.
Conclusion & alert: CVE-2024-8277 is rated Moderate Risk (59.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.60%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 52.14% | 1.60% | -50.54% |
| 2 | 2026-01-31 | 45.63% | 52.14% | +6.51% |
| 3 | 2025-11-30 | — | 45.63% | — |
Full EPSS history (23 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| villatheme | woocommerce_photo_reviews | < 1.3.14 | cpe:2.3:a:villatheme:woocommerce_photo_reviews:*:*:*:*:*:wordpress:*:* |