Yet Another Stars Rating <= 1.8.6 – PHP Object Injection | Plugin Vulnerabilities

Description

An unauthenticated PHP object injection in the "Yasr – Yet Another Stars Rating" WordPress plugin introduces a starting point for RCE and similiar high-severity vulnerabilities. As of 27.01.2019, the plugin has over 20.000 active installations and round about 500.000 downloads. A shortcode provided by the plugin passes Cookie data without any filtering to PHPs unsafe unserialize() function.

Affects Plugins

yet-another-stars-rating

Fixed in 1.8.7

References

URL

https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress

URL

https://plugins.trac.wordpress.org/changeset/2019911/yet-another-stars-rating/tags/1.8.7/lib/yasr-functions.php

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

Miscellaneous

Original Researcher

Paul Dannewitz

Submitter

Paul Dannewitz

Submitter website

https://dannewitz.ninja

Submitter twitter

Verified

No

WPVDB ID

3a252d33-52b2-40bf-96a7-23ec2e9fe7d2

Timeline

Publicly Published

2019-01-27 (about 7 years ago)

Added

2019-01-28 (about 7 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2026-04-13

Title

Post Duplicator < 3.0.11 - Contributor+ PHP Object Injection

Published

2025-05-20

Title

Goodlayers Hostel <= 3.1.2 - Unauthenticated PHP Object Injection

Published

2026-02-09

Title

Booking and Rental Manager < 2.6.0 - Authenticated (Contributor+) PHP Object Injection

Published

2025-04-14

Title

Question Answer <= 1.2.70 - Authenticated (Subscriber+) PHP Object Injection

Published

2024-02-02

Title

Knowledge Base for Documentation, FAQs with AI Assistance < 11.31.0 - Unauthenticated PHP Object Injection in is_article_recently_viewed