WordPress Plugin Vulnerabilities

Multi Rating <= 5.0.6 - Unauthenticated Ratings Update

Description

The plugin does not have authorisation and CSRF checks in its mr_edit_rating() function, allowing unauthenticated users to update arbitrary ratings (either directly or via a CSRF attack)

Affects Plugins

Plugin icon
multi-rating
No known fix

References

CVE
CVE-2023-32127
CVE
CVE-2023-32125

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
b7fa0ace-ad36-46c5-b09e-96a0b7b094ee

Timeline

Publicly Published
2023-05-04 (about 2 years ago)
Added
2023-08-21 (about 2 years ago)
Last Updated
2023-08-21 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
GDPR/CCPA Cookie Consent Banner < 3.2.1 - Missing Authorization via handle_consent_toggle()
Published
2021-11-24
Title
Hide My WP < 6.2.4 - Unauthenticated Plugin Deactivation
Published
2025-04-01
Title
WordPress Adverts Plugin <= 1.4 - Missing Authorization
Published
2024-03-29
Title
Awesome Support < 6.1.8 - Missing Authorization
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Deactivation