WordPress Plugin Vulnerabilities

WordPress Review & Structure Data Schema Plugin – Review Schema < 2.2.0 - Missing Authorization to Arbitrary Review Update

Description

The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary reviews.

Affects Plugins

Plugin icon
review-schema
Fixed in 2.2.0

References

CVE
CVE-2024-0836
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
d7256a27-abd0-4c53-898f-2660b4679e10

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-01-30 (about 2 years ago)
Last Updated
2024-01-30 (about 2 years ago)

Other

Published
Title
Published
2026-04-23
Title
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 7.9.9 - Missing Authorization
Published
2025-10-23
Title
Soledad < = 8.6.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-09-26
Title
EmailKit < 1.6.1 - Missing Authorization to Authenticated (Author+) Arbitrary Content Deletion
Published
2025-12-12
Title
Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion
Published
2024-12-11
Title
Notibar < 2.1.5 - Missing Authorization via ajax_install_plugin