WordPress Plugin Vulnerabilities

Thumbs Rating <= 5.1.0 - Unauthenticated Insecure Direct Object Reference

Description

The Thumbs Rating plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.0 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
thumbs-rating
No known fix

References

CVE
CVE-2024-31095
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e98b0a3a-6c14-45f1-a6b2-9911ba34ce0d

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kyle Sanchez
Verified
No
WPVDB ID
64e164de-5ead-489b-9a65-650ff8135d24

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2025-04-07
Title
Streamit < 4.0.3 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover
Published
2025-11-07
Title
WPFunnels < 3.6.3 - Unauthorized User Registration
Published
2025-11-12
Title
Page Builder: Pagelayer – Drag and Drop website builder < 2.0.6 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-03-05
Title
Subscription for WooCommerce – WordPress Recurring Payments Plugin < 1.8.11 - Authenticated (Customer+) Insecure Direct Object Reference
Published
2023-09-12
Title
wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR