Does YASR – Yet Another Star Rating Plugin for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in YASR – Yet Another Star Rating Plugin for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is YASR – Yet Another Star Rating Plugin for WordPress compatible with WordPress 6.8.5?

According to WordPress.org data, YASR – Yet Another Star Rating Plugin for WordPress 3.4.15 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is YASR – Yet Another Star Rating Plugin for WordPress compatible with PHP 5.4+?

YASR – Yet Another Star Rating Plugin for WordPress requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is YASR – Yet Another Star Rating Plugin for WordPress's security score?

YASR – Yet Another Star Rating Plugin for WordPress has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

YASR – Yet Another Star Rating Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/yet-another-stars-rating

Boost the way people interact with your site with an easy WordPress stars rating system! With schema.org rich snippets YASR will improve your SEO

10K active installs v3.4.15 PHP 5.4+ WP 4.7+ Updated Apr 10, 2025

blockgoogle-ratingrate-postratingstar-rating

A · Safe

CVEs total6

Unpatched0

Last CVENov 27, 2023

Plugin page Download

Safety Verdict

Is YASR – Yet Another Star Rating Plugin for WordPress Safe to Use in 2026?

Generally Safe

Score 96/100

YASR – Yet Another Star Rating Plugin for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Nov 27, 2023Updated 11mo ago

Risk Assessment

The "yet-another-stars-rating" plugin v3.4.15 presents a mixed security posture. While it demonstrates good practices such as a high percentage of SQL queries using prepared statements and a substantial number of capability checks, there are significant concerns. The plugin has a considerable attack surface with 19 AJAX handlers, 13 of which lack authentication checks, creating an immediate risk for unauthorized actions. Additionally, taint analysis reveals two high-severity flows with unsanitized paths, indicating potential for code injection or other exploits. The plugin's vulnerability history is also a major red flag, with a total of 6 known CVEs, including a past critical vulnerability. The variety of common vulnerability types such as missing authorization, XSS, deserialization, and SQL injection further suggests recurring security weaknesses. While the absence of currently unpatched vulnerabilities and a recent vulnerability in late 2023 is somewhat positive, the historical pattern and the identified code-level risks warrant a cautious approach.

Key Concerns

13 unprotected AJAX handlers
2 high severity taint flows
6 total known CVEs
1 past critical CVE
1 past high CVE
Bundled Freemius v1.0 (potentially outdated)
5 flows with unsanitized paths

Vulnerabilities

YASR – Yet Another Star Rating Plugin for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

1 CVE in 2019

2019

1 CVE in 2022

2022

3 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

6 total CVEs

CVE-2023-39305medium · 5.3Missing Authorization

Yet Another Stars Rating <= 3.4.3 - Missing Authorization via init

Nov 27, 2023 Patched in 3.4.4 (57d)

CVE-2023-37867medium · 5.3Missing Authorization

Yet Another Stars Rating <= 3.3.8 - Missing Authorization to Vote Tampering

Jul 10, 2023 Patched in 3.3.9 (197d)

CVE-2022-40699medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Yet Another Stars Rating <= 3.1.2 - Authenticated (Subscriber+) Cross-Site Scripting via Shortcodes

Mar 3, 2023 Patched in 3.1.3 (326d)

CVE-2022-23980medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Yasr – Yet Another Stars Rating <= 2.9.9 - Cross-Site Scripting via source

Feb 3, 2022 Patched in 3.0.0 (718d)

WF-bbd1e68f-1f84-40d6-9ecd-34280c3c5099-yet-another-stars-ratingcritical · 9.8Deserialization of Untrusted Data

Yet Another Stars Rating <= 1.8.6 - Unauthenticated PHP Object Injection

Jan 27, 2019 Patched in 1.8.7 (1822d)

CVE-2015-9465high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Yasr – Yet Another Stars Rating < 0.9.1 - Authenticated SQL Injection

Jul 6, 2015 Patched in 0.9.1 (3123d)

Code Analysis

Analyzed Mar 16, 2026

YASR – Yet Another Star Rating Plugin for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

52 prepared

Unescaped Output

351 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

87% prepared60 total queries

Output Escaping

83% escaped421 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

13 flows5 with unsanitized paths

editFormAjax (admin\settings\classes\YasrSettingsMultiset.php:505)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

13 unprotected

YASR – Yet Another Star Rating Plugin for WordPress Attack Surface

Entry Points34

Unprotected13

AJAX Handlers 19

authwp_ajax_yasr-admin_change_log_pageadmin\classes\YasrAdmin.php:53

authwp_ajax_yasr_send_id_namesetadmin\editor\YasrEditorHooks.php:53

authwp_ajax_yasr_import_wppradmin\settings\classes\YasrImportRatingPlugins.php:65

authwp_ajax_yasr_import_kksradmin\settings\classes\YasrImportRatingPlugins.php:67

authwp_ajax_yasr_import_ratemypostadmin\settings\classes\YasrImportRatingPlugins.php:69

authwp_ajax_yasr_import_mradmin\settings\classes\YasrImportRatingPlugins.php:71

authwp_ajax_yasr_rankings_preview_shortcodeadmin\settings\classes\YasrSettings.php:43

authwp_ajax_yasr_get_multi_setadmin\settings\classes\YasrSettingsMultiset.php:10

authwp_ajax_yasr_load_vvincludes\shortcodes\classes\YasrShortcodesAjax.php:35

noprivwp_ajax_yasr_load_vvincludes\shortcodes\classes\YasrShortcodesAjax.php:36

authwp_ajax_yasr_load_rankingsincludes\shortcodes\classes\YasrShortcodesAjax.php:38

noprivwp_ajax_yasr_load_rankingsincludes\shortcodes\classes\YasrShortcodesAjax.php:39

authwp_ajax_yasr_send_visitor_ratingincludes\shortcodes\classes\YasrShortcodesAjax.php:43

noprivwp_ajax_yasr_send_visitor_ratingincludes\shortcodes\classes\YasrShortcodesAjax.php:44

authwp_ajax_yasr_visitor_multiset_field_voteincludes\shortcodes\classes\YasrShortcodesAjax.php:51

noprivwp_ajax_yasr_visitor_multiset_field_voteincludes\shortcodes\classes\YasrShortcodesAjax.php:52

authwp_ajax_yasr-user_change_log_pageincludes\shortcodes\classes\YasrShortcodesAjax.php:56

authwp_ajax_yasr_stats_visitors_votesincludes\shortcodes\classes\YasrShortcodesAjax.php:60

noprivwp_ajax_yasr_stats_visitors_votesincludes\shortcodes\classes\YasrShortcodesAjax.php:61

Shortcodes 15

[yasr_overall_rating] includes\shortcodes\yasr-shortcode-functions.php:65

[yasr_visitor_votes] includes\shortcodes\yasr-shortcode-functions.php:101

[yasr_multiset] includes\shortcodes\yasr-shortcode-functions.php:127

[yasr_visitor_multiset] includes\shortcodes\yasr-shortcode-functions.php:143

[yasr_top_ten_highest_rated] includes\shortcodes\yasr-shortcode-functions.php:160

[yasr_ov_ranking] includes\shortcodes\yasr-shortcode-functions.php:168

[yasr_most_or_highest_rated_posts] includes\shortcodes\yasr-shortcode-functions.php:187

[yasr_top_5_reviewers] includes\shortcodes\yasr-shortcode-functions.php:204

[yasr_top_reviewers] includes\shortcodes\yasr-shortcode-functions.php:212

[yasr_top_ten_active_users] includes\shortcodes\yasr-shortcode-functions.php:218

[yasr_most_active_users] includes\shortcodes\yasr-shortcode-functions.php:226

[yasr_multi_set_ranking] includes\shortcodes\yasr-shortcode-functions.php:250

[yasr_visitor_multi_set_ranking] includes\shortcodes\yasr-shortcode-functions.php:259

[yasr_user_rate_history] includes\shortcodes\yasr-shortcode-functions.php:270

[yasr_display_posts] includes\shortcodes\yasr-shortcode-functions.php:284

WordPress Hooks 82

actionadmin_enqueue_scriptsadmin\classes\YasrAdmin.php:35

actionadmin_menuadmin\classes\YasrAdmin.php:38

actionplugins_loadedadmin\classes\YasrAdmin.php:40

actionplugins_loadedadmin\classes\YasrAdmin.php:41

actionplugins_loadedadmin\classes\YasrAdmin.php:42

filterpermission_listadmin\classes\YasrAdmin.php:71

filtershow_first_trial_after_n_secadmin\classes\YasrAdmin.php:92

filterreshow_trial_after_every_n_secadmin\classes\YasrAdmin.php:101

filterplugin_iconadmin\classes\YasrAdmin.php:110

filtershow_deactivation_feedback_formadmin\classes\YasrAdmin.php:119

actionwp_dashboard_setupadmin\classes\YasrAdmin.php:361

actionwp_dashboard_setupadmin\classes\YasrAdmin.php:365

actioncategory_edit_form_fieldsadmin\classes\YasrEditCategory.php:40

actioninitadmin\editor\YasrEditorHooks.php:41

filterblock_categories_alladmin\editor\YasrEditorHooks.php:44

actionadd_meta_boxesadmin\editor\YasrEditorHooks.php:47

actionmedia_buttonsadmin\editor\YasrEditorHooks.php:50

actionsave_postadmin\editor\YasrEditorHooks.php:56

actiondelete_postadmin\editor\YasrEditorHooks.php:59

actionyasr_add_tabs_on_tinypopupformadmin\editor\YasrEditorHooks.php:250

actionyasr_add_tabs_on_tinypopupformadmin\editor\YasrEditorHooks.php:251

actionyasr_add_content_on_tinypopupformadmin\editor\YasrEditorHooks.php:254

actionyasr_add_content_on_tinypopupformadmin\editor\YasrEditorHooks.php:255

actionyasr_metabox_below_editor_add_tabadmin\editor\YasrMetaboxBelowEditor.php:83

actionyasr_metabox_below_editor_contentadmin\editor\YasrMetaboxBelowEditor.php:86

actionyasr_metabox_below_editor_add_tabadmin\editor\YasrMetaboxBelowEditor.php:91

actionyasr_metabox_below_editor_contentadmin\editor\YasrMetaboxBelowEditor.php:94

filteradmin_footer_textadmin\settings\classes\YasrSettingsFooter.php:41

actionadmin_initadmin\settings\classes\YasrSettingsGeneral.php:11

actionadmin_initadmin\settings\classes\YasrSettingsMultiset.php:7

actionadmin_initadmin\settings\classes\YasrSettingsStyle.php:12

actionyasr_style_options_add_settings_fieldadmin\settings\classes\YasrSettingsStyle.php:15

filteryasr_filter_style_optionsadmin\settings\classes\YasrSettingsStyle.php:18

actionyasr_stats_tab_contentadmin\settings\classes\YasrStatsExport.php:15

actioninitadmin\yasr-admin-init.php:30

filterautoptimize_filter_js_dontmoveincludes\classes\YasrCachingPlugins.php:201

filterrocket_exclude_defer_jsincludes\classes\YasrCachingPlugins.php:209

actionyasr_action_on_visitor_voteincludes\classes\YasrCachingPlugins.php:218

actionyasr_action_on_visitor_multiset_voteincludes\classes\YasrCachingPlugins.php:219

filterregister_post_type_argsincludes\classes\YasrCustomPostTypes.php:39

filteryasr_cstm_text_before_overallincludes\classes\YasrIncludesFilters.php:24

filteryasr_cstm_text_before_vvincludes\classes\YasrIncludesFilters.php:25

filteryasr_cstm_text_after_vvincludes\classes\YasrIncludesFilters.php:26

filteryasr_vv_saved_textincludes\classes\YasrIncludesFilters.php:27

filteryasr_vv_updated_textincludes\classes\YasrIncludesFilters.php:28

filteryasr_mv_saved_textincludes\classes\YasrIncludesFilters.php:29

filteryasr_cstm_text_already_votedincludes\classes\YasrIncludesFilters.php:30

filteryasr_must_sign_inincludes\classes\YasrIncludesFilters.php:31

actionwp_enqueue_scriptsincludes\classes\YasrScriptsLoader.php:16

actionadmin_enqueue_scriptsincludes\classes\YasrScriptsLoader.php:17

actionyasr_add_front_script_cssincludes\classes\YasrScriptsLoader.php:19

actionyasr_add_admin_scripts_endincludes\classes\YasrScriptsLoader.php:20

actionyasr_add_front_script_cssincludes\classes\YasrScriptsLoader.php:26

actionyasr_add_admin_scripts_endincludes\classes\YasrScriptsLoader.php:27

actionenqueue_block_editor_assetsincludes\classes\YasrScriptsLoader.php:30

actioninitincludes\classes\YasrScriptsLoader.php:31

actionyasr_add_admin_scripts_endincludes\classes\YasrScriptsLoader.php:34

filteryasr_gutenberg_constantsincludes\classes\YasrScriptsLoader.php:37

actionrest_api_initincludes\rest\classes\YasrCustomEndpoint.php:16

actionrest_api_initincludes\rest\classes\YasrCustomFields.php:13

actionrest_api_initincludes\rest\classes\YasrPostMeta.php:12

actionposts_join_pagedincludes\shortcodes\classes\YasrDisplayPosts.php:148

actionposts_orderbyincludes\shortcodes\classes\YasrDisplayPosts.php:153

actionyasr_action_on_visitor_voteincludes\shortcodes\classes\YasrShortcodesAjax.php:47

actionyasr_action_on_visitor_multiset_voteincludes\shortcodes\classes\YasrShortcodesAjax.php:48

actioninitincludes\yasr-includes-functions.php:26

actionwidgets_initincludes\yasr-widgets.php:25

filterthe_contentpublic\classes\YasrPublicFilters.php:18

filterthe_titlepublic\classes\YasrPublicFilters.php:23

actionwp_enqueue_scriptspublic\classes\YasrPublicFilters.php:24

actionpre_get_postspublic\classes\YasrPublicFilters.php:36

filterexcerpt_morepublic\classes\YasrPublicFilters.php:328

actionposts_join_pagedpublic\classes\YasrPublicFilters.php:335

actionposts_orderbypublic\classes\YasrPublicFilters.php:336

filterthe_contentpublic\classes\YasrRichSnippets.php:21

actionwp_footerpublic\classes\YasrRichSnippets.php:27

filteryasr_filter_schema_titlepublic\classes\YasrRichSnippets.php:29

filteryasr_filter_existing_schemapublic\classes\YasrRichSnippets.php:30

filterwpseo_schema_graphpublic\classes\YasrRichSnippets.php:33

actionwp_insert_siteyet-another-stars-rating.php:140

filterwpmu_drop_tablesyet-another-stars-rating.php:147

filterplugin_row_metayet-another-stars-rating.php:160

Maintenance & Trust

YASR – Yet Another Star Rating Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 10, 2025

PHP min version5.4

Downloads1.9M

Community Trust

Rating94/100

Number of ratings323

Active installs10K

Alternatives

YASR – Yet Another Star Rating Plugin for WordPress Alternatives

kk Star Ratings – Rate Post & Collect User Feedbacks

kk-star-ratings

kk Star Ratings allows blog visitors to involve and interact more effectively with your website by rating posts.

80K 4 CVEs

Rate My Post – Star Rating Plugin by FeedbackWP

rate-my-post

Add Star Rating to WordPress posts & pages, collect feedbacks from users and improve website SEO with Schema markup for Rich Snippets.

20K 7 CVEs

Star Rating Block

star-rating-block

The Star Rating block allows you to display author-assigned star ratings within your content.

1K No CVEs

Star Rating Block for Block Editor

pb-star-rating-block

This block will help you to display star rating using Gutenberg Editor.

600 No CVEs

Simple Star Rating Block

simple-star-rating-block

Simple Star Rating Block allows you to display star ratings either by manually entering the value or pulling it from a custom field.

50 No CVEs

Developer Profile

YASR – Yet Another Star Rating Plugin for WordPress Developer Profile

Dash Labs

1 plugin · 10K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

1041 days

View full developer profile

Detection Fingerprints

How We Detect YASR – Yet Another Star Rating Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/yet-another-stars-rating/admin/css/yasr-admin.css/wp-content/plugins/yet-another-stars-rating/admin/css/yasr-admin-block.css/wp-content/plugins/yet-another-stars-rating/admin/css/yasr-admin-styles.css/wp-content/plugins/yet-another-stars-rating/admin/js/yasr-admin.js/wp-content/plugins/yet-another-stars-rating/admin/js/guten/yasr-guten-block.js/wp-content/plugins/yet-another-stars-rating/includes/css/yasr-public.css/wp-content/plugins/yet-another-stars-rating/includes/js/yasr-public.js

Script Paths

/wp-content/plugins/yet-another-stars-rating/admin/js/yasr-admin.js/wp-content/plugins/yet-another-stars-rating/admin/js/guten/yasr-guten-block.js/wp-content/plugins/yet-another-stars-rating/includes/js/yasr-public.js

Version Parameters

yet-another-stars-rating/admin/css/yasr-admin.css?ver=yet-another-stars-rating/admin/css/yasr-admin-block.css?ver=yet-another-stars-rating/admin/css/yasr-admin-styles.css?ver=yet-another-stars-rating/admin/js/yasr-admin.js?ver=yet-another-stars-rating/admin/js/guten/yasr-guten-block.js?ver=yet-another-stars-rating/includes/css/yasr-public.css?ver=yet-another-stars-rating/includes/js/yasr-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

yasr-starsyasr-iconyasr-containeryasr-post-wrapperyasr-rating-average

HTML Comments

YASR - Yet Another Stars RatingYASR Free

Data Attributes

data-yasr-review-iddata-yasr-post-typedata-yasr-post-id

JS Globals

YASR_PUBLICYASR_ADMIN

REST Endpoints

/wp-json/yasr/v1/reviews

Shortcode Output

[yasr_visitor_votes][yasr_overall_rating][yasr_recent_votes]

FAQ