CVE-2026-4301

Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.6.5
Patched in
3d
Time to patch

Description

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content, author (changed to the attacker's user ID), post_type (changed to the plugin's custom post type, default 'review'), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the 'rating_id' parameter, effectively allowing full post content takeover.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.4
PublishedMay 11, 2026
Last updatedMay 14, 2026
Affected pluginrate-star-review

What Changed in the Fix

Changes introduced in v1.6.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4301 ## 1. Vulnerability Summary The **Rate Star Review Vote** plugin (versions <= 1.6.4) contains a critical "Missing Authorization" vulnerability in its AJAX handler `vwrsr_review`. The handler is registered for both authenticated and unauthenticated users b…

Show full research plan

Exploitation Research Plan: CVE-2026-4301

1. Vulnerability Summary

The Rate Star Review Vote plugin (versions <= 1.6.4) contains a critical "Missing Authorization" vulnerability in its AJAX handler vwrsr_review. The handler is registered for both authenticated and unauthenticated users but contains an internal is_user_logged_in() check, effectively limiting exploitation to any authenticated user (including Subscribers).

The vulnerability exists because the code lacks:

  1. Capability Checks: It does not verify if the user has the right to edit the target post.
  2. Nonce Verification: It does not use WordPress CSRF protection.
  3. Input Validation: It takes a user-provided rating_id and passes it directly to wp_update_post().

When the form parameter is set to update, an attacker can specify an arbitrary rating_id (representing a Post ID). The function then overwrites that post's title, content, author, status, and changes its post_type to review, effectively "hijacking" the post.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: vwrsr_review
  • Vulnerable Parameter: rating_id (Target Post/Page ID)
  • Authentication Required: Logged-in user (Subscriber role is sufficient).
  • Payload Type: application/x-www-form-urlencoded
  • Preconditions: The attacker must be authenticated as at least a Subscriber.

3. Code Flow

  1. Hook Registration: In rate-star-review.php, the plugin registers the AJAX actions:
    add_action( 'wp_ajax_vwrsr_review', array('VWrateStarReview','vwrsr_review') );
    add_action( 'wp_ajax_nopriv_vwrsr_review', array('VWrateStarReview','vwrsr_review') );
    
  2. Entry Point: The request reaches VWrateStarReview::vwrsr_review().
  3. Check: The function checks is_user_logged_in(). If true, it proceeds.
  4. Branching: The code checks if ($_GET['form'] == 'update') (or $_POST/$_REQUEST).
  5. Sink (Metadata): At lines 758-763 (as per description), update_post_meta() is called using the rating_id.
  6. Sink (Post Update): The function constructs an array for wp_update_post():
    • ID is set to the value of rating_id.
    • post_title is set from user input (likely review_title).
    • post_content is set from user input (likely review_text).
    • post_author is set to the current user's ID.
    • post_type is set to review.
  7. Execution: wp_update_post() executes, modifying the arbitrary Post ID.

4. Nonce Acquisition Strategy

According to the vulnerability description, the vwrsr_review() handler lacks nonce verification. Therefore, no nonce is required to exploit this vulnerability.

If a nonce were required, it would likely be localized via wp_localize_script. Based on the file structure, the JS variable would likely be found by navigating to a page with the [videowhisper_review] shortcode.

5. Exploitation Strategy

The goal is to modify a target Page (e.g., Page ID 2, usually the "Sample Page") into a "review" post type with attacker-controlled content.

Step-by-Step Plan:

  1. Authentication: Authenticate as a Subscriber-level user.
  2. Target Identification: Identify a Post/Page ID to hijack (e.g., ID 2).
  3. Request Construction: Send a POST request to admin-ajax.php.

Payload:

  • Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: vwrsr_review
    • form: update
    • rating_id: 2 (Target ID)
    • review_title: Hacked by Subscriber (Inferred parameter name)
    • review_text: Your content is now mine. (Inferred parameter name)
    • rating: 5 (Required for review logic)

Note: If review_title/review_text fail, common alternative names used by this developer include title, text, or content.

6. Test Data Setup

  1. Target Content: Ensure a page with ID 2 exists (standard WordPress Sample Page).
    • wp post list --post_type=page
  2. Attacker Account: Create a Subscriber user.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Plugin State: Ensure rate-star-review is active.

7. Expected Results

  • HTTP Response: A successful response (likely a 200 OK with JSON or a success message).
  • Database Change:
    • The post_type of ID 2 changes from page to review.
    • The post_title changes to "Hacked by Subscriber".
    • The post_author changes to the Subscriber's ID.
    • The post_status might change to publish.

8. Verification Steps

After the HTTP request, verify the state of the target post via WP-CLI:

# Check the post details for ID 2
wp post get 2 --fields=ID,post_title,post_author,post_type,post_status --format=json

The output should show the post_type as review and the post_author as the ID of the attacker user.

9. Alternative Approaches

If the form=update branch requires specific metadata to exist (i.e., verifying the post is already a review), the attack may fail on a clean Page ID.

Alternative:
Attempt to use the "add" functionality (where form is not update) if it also accepts a rating_id or post_id and incorrectly uses it in an update context.

If the parameter names review_title or review_text are incorrect, inspect the frontend HTML of a page containing the [videowhisper_review] shortcode to find the exact name attributes of the form inputs.

// Run in browser_eval on a page with the review form:
browser_eval("Array.from(document.querySelectorAll('input, textarea')).map(i => i.name)")
Research Findings
Static analysis — not yet PoC-verified

Summary

The Rate Star Review Vote plugin for WordPress (<= 1.6.4) is vulnerable to unauthorized arbitrary post modification due to missing capability checks and nonce verification in its 'vwrsr_review' AJAX handler. Authenticated users, including those with subscriber-level access, can hijack any post or page by providing a target post ID in the 'rating_id' parameter, which is then passed directly to wp_update_post() to modify its title, content, author, and status.

Vulnerable Code

// rate-star-review.php line 61-62
add_action( 'wp_ajax_vwrsr_review', array('VWrateStarReview','vwrsr_review') );
add_action( 'wp_ajax_nopriv_vwrsr_review', array('VWrateStarReview','vwrsr_review') );

--- 

// Logical representation of the vulnerable sink within VWrateStarReview::vwrsr_review()
// as identified in the vulnerability research (the source file provided is truncated)

if (is_user_logged_in())
{
    if ($_GET['form'] == 'update')
    {
        $rating_id = $_GET['rating_id'];
        $post_update = array(
            'ID'           => $rating_id, // Unvalidated ID from input
            'post_title'   => $_GET['review_title'],
            'post_content' => $_GET['review_text'],
            'post_author'  => get_current_user_id(),
            'post_type'    => 'review',
            'post_status'  => 'publish',
        );
        wp_update_post( $post_update );
        // Lines 758-763: update_post_meta() is also called using $rating_id
    }
}

Security Fix

Only in /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.6.5: apf
Only in /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.6.5/languages: rate-star-review.pot
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.3.10/rate-star-review.php /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.6.5/rate-star-review.php
--- /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.3.10/rate-star-review.php	2021-08-13 20:53:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/rate-star-review/1.6.5/rate-star-review.php	2026-05-14 07:48:40.000000000 +0000
@@ -1,14 +1,17 @@
 <?php
 /*
-Plugin Name: Rate Star Review - AJAX Reviews for Content, with Star Ratings
-Plugin URI: https://videochat-scripts.com/
-Description: <strong>Rate Star Review - AJAX Reviews for Content, with Star Ratings</strong>: Multiple ratings and reviews for content (including custom post types) using AJAX. <a href='https://videowhisper.com/tickets_submit.php?topic=Rate-Star-Review'>Contact Us</a> | <a href='https://wordpress.org/support/plugin/rate-star-review/reviews/#new-post'>Review Plugin</a> 
-Version: 1.3.10
+Plugin Name: Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings
+Plugin URI: https://videowhisper.com 
+Description: <strong>Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings</strong>: Multiple ratings and reviews for content (including custom post types) using AJAX. <a href='https://consult.videowhisper.com?topic=Rate-Star-Review'>Contact Us</a> | <a href='https://wordpress.org/support/plugin/rate-star-review/reviews/#new-post'>Review Plugin</a> 
+Version: 1.6.5
 Author: VideoWhisper.com
 Author URI: https://videowhisper.com/
 Contributors: videowhisper, VideoWhisper.com
 Text Domain: rate-star-review
 Domain Path: /languages/
+Requires PHP: 7.4
+License: GPLv2 or later
+License URI: https://www.gnu.org/licenses/gpl-2.0.html
 */
 
 if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
@@ -41,15 +44,18 @@
 			VWrateStarReview::review_post();
 		}
 
-		function plugins_loaded()
+		static function plugins_loaded()
 		{
+
 			$plugin = plugin_basename(__FILE__);
 			add_filter("plugin_action_links_$plugin",  array('VWrateStarReview','settings_link') );
 
-			add_filter('the_content', array('VWrateStarReview','the_content'));
+			add_filter('the_content', array('VWrateStarReview','the_content'), 12);
 
 
 			//shortcodes
+			add_shortcode('videowhisper_vote', array( 'VWrateStarReview', 'videowhisper_vote'));
+
 			add_shortcode('videowhisper_review', array( 'VWrateStarReview', 'videowhisper_review'));
 			add_shortcode('videowhisper_reviews', array( 'VWrateStarReview', 'videowhisper_reviews'));
 			add_shortcode('videowhisper_rating', array( 'VWrateStarReview', 'videowhisper_rating'));
@@ -58,39 +64,61 @@
 
 
 			//web app ajax calls
+			add_action( 'wp_ajax_vwrsr_vote', array('VWrateStarReview','vwrsr_vote') );
+			add_action( 'wp_ajax_nopriv_vwrsr_vote', array('VWrateStarReview','vwrsr_vote') );
+
 			add_action( 'wp_ajax_vwrsr_review', array('VWrateStarReview','vwrsr_review') );
 			add_action( 'wp_ajax_nopriv_vwrsr_review', array('VWrateStarReview','vwrsr_review') );
+
 			add_action( 'wp_ajax_vwrsr_reviews', array('VWrateStarReview','vwrsr_reviews') );
 			add_action( 'wp_ajax_nopriv_vwrsr_reviews', array('VWrateStarReview','vwrsr_reviews') );
 		}

Exploit Outline

The exploit target is the 'vwrsr_review' AJAX action. An authenticated attacker with at least Subscriber privileges identifies a target post ID (e.g., a main site Page or Post). They then send a POST request to /wp-admin/admin-ajax.php with the parameters 'action=vwrsr_review', 'form=update', and 'rating_id' set to the target ID. By including additional parameters like 'review_title' and 'review_text', the attacker can overwrite the title and content of the target post. Because the plugin uses wp_update_post() on the provided ID without verifying that the current user has editing capabilities for that specific post, the target post is effectively hijacked, changing its type to 'review' and its author to the attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.