Skip to main content

Rate Star Review Vote CVE-2026-4301

| EUVDEUVD-2026-29393 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 Wordfence GHSA-vpjj-cp57-c66r
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 08:46 vuln.today
CVE Published
May 12, 2026 - 07:48 nvd
MEDIUM 4.3

DescriptionCVE.org

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content, author (changed to the attacker's user ID), post_type (changed to the plugin's custom post type, default 'review'), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the 'rating_id' parameter, effectively allowing full post content takeover.

AnalysisAI

Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.

Technical ContextAI

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the vwrsr_review() AJAX handler function. The handler implements only an is_user_logged_in() check for access control, lacking proper WordPress capability verification (such as current_user_can() checks for edit_posts or manage_posts) and nonce validation. When the 'form' parameter equals 'update', the function accepts an arbitrary post ID via the user-supplied 'rating_id' GET parameter and passes it directly to wp_update_post() without post ownership or permission validation. This allows the function to overwrite post properties including title, content, author ID, post_type, and post_status. Additionally, update_post_meta() calls at lines 758-763 enable modification of post metadata on any post, regardless of user permissions. The vulnerability stems from direct use of user input without authorization context.

RemediationAI

Update the Rate Star Review Vote plugin to the patched version released after 1.6.4 (consult Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/107cb15f-4b2e-4ed4-8e8a-4f716f4873db for exact fixed version). If a patched version is not yet available, immediately disable the plugin and remove it from the site, as the vulnerability poses direct risk to post content integrity. As a temporary compensating control, restrict user registration and lower the minimum user role required to register (typically set to Subscriber by default) by setting the WordPress 'users_can_register' option to false in wp-config.php or via Settings → General, preventing new low-privileged account creation. For sites that require user accounts, manually audit and demote unnecessary Subscriber accounts to a non-publishing role or remove them entirely. Monitor wp_postmeta and wp_posts tables for unauthorized changes to post_author, post_content, post_title, and post_type fields originating from AJAX requests to rate-star-review.php. Block direct access to the plugin's AJAX handlers at the web server level (nginx/Apache) if the plugin functionality is not actively used. Note: disabling the plugin will break existing star rating and review functionality; patching is the only safe long-term solution.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy