Rate My Post – Star Rating Plugin by FeedbackWP < 4.2.5 – Unauthenticated Voting On Scheduled Posts | CVE 2024-12309 | Plugin Vulnerabilities

Description

The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts.

Affects Plugins

Fixed in 4.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c9aa467f-9ac2-4a84-b0bb-761101733af7

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

HayMiz

Verified

No

WPVDB ID

ddc29fbb-a6a4-419d-9513-7e621aa7b844

Timeline

Publicly Published

2024-12-12 (about 1 year ago)

Added

2024-12-12 (about 1 year ago)

Last Updated

2024-12-13 (about 1 year ago)

Other

Published

Title

Published

2026-05-20

Title

Broadstreet < 1.53.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta

Published

2023-12-27

Title

WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR

Published

2024-10-14

Title

WP 2FA with Telegram < 3.1 - Authenticated (Subscriber+) Authentication Bypass

Published

2024-09-24

Title

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation

Published

2026-06-26

Title

User Registration & Membership < 5.2.3 - Unauthenticated Limited User Deletion via Stripe Subscription Handler