kk Star Ratings < 5.4.6 – Rating Tampering via Race Condition | CVE 2023-4642 | Plugin Vulnerabilities

Description

The plugin does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition.

Proof of Concept

1- Install and activate kk Star Ratings.
2- Go to the page that displays the star rating.
3- Using Burp and the Turbo Intruder extension, intercept the rating submission.
4- Send the request to Turbo Intruder using Action > Extensions > Turbo Intruder > Send to turbo intruder.
5- Drop the initial request and turn Intercept off.
6-  In the Turbo Intruder window, add "%s" to the end of the connection header (e.g. "Connection: close %s").
7- Use the code `examples/race.py`.
8- Click "Attack" at the bottom of the window. This will send multiple requests to the server at the same moment.
9- To see the updated total rates, reload the page you tested.

Affects Plugins

kk-star-ratings

Fixed in 5.4.6

References

CVE

Classification

Type

RACE CONDITION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Mohammad Reza Omrani

Submitter

Mohammad Reza Omrani

Submitter website

https://www.linkedin.com/in/omranisecurity/

Submitter twitter

Verified

Yes

WPVDB ID

6f481d34-6feb-4af2-914c-1f3288f69207

Timeline

Publicly Published

2023-11-06 (about 7 months ago)

Added

2023-11-06 (about 7 months ago)

Last Updated

2023-11-06 (about 7 months ago)

Other

Published

Title

Published

2023-06-12

Title

Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote

Published

2022-09-14

Title

Rate my Post < 3.3.5 - Subscriber+ Votes Tampering via Race Condition

Published

2023-11-13

Title

YOP Poll < 6.5.27 - Unauthenticated Vote Manipulation via Race Condition

Published

2022-01-19

Title

AnyComment < 0.2.18 - Comment Rating Increase/Decrease via Race Condition

Published

2022-11-24

Title

WP ULike < 4.6.5 - Unauthenticated Rating Tampering via Race Condition