WordPress Plugin Vulnerabilities

Rate my Post < 3.4.3 - IP Spoofing

Description

The Rate my Post – WP Rating System plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 3.4.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to vote on posts multiple times.

Affects Plugins

Plugin icon
rate-my-post
Fixed in 3.4.3

References

CVE
CVE-2023-51667
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d24aa7e-bbf1-4a54-b53b-7a37e613e0e6

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
048bb679-bdf1-49db-9d55-81fba28ed71f

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2024-05-08
Title
Site Reviews < 7.0.0 - IP Spoofing
Published
2024-09-16
Title
Maintenance Redirect < 2.1.0 - IP Spoofing to Maintenance Mode Bypass
Published
2024-04-22
Title
Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing
Published
2023-12-27
Title
Branda < 3.4.15 - IP Spoofing
Published
2024-08-26
Title
Maintenance & Coming Soon Redirect Animation <= 2.3.3 - IP Spoofing to Bypass