WordPress Plugin Vulnerabilities

Yet Another Stars Rating < 3.4.4 - Missing Authorization via init

Description

The Yet Another Stars Rating plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the init function in versions up to, and including, 3.4.3. This makes it possible for unauthenticated attackers to vote on private or nonexistent posts.

Affects Plugins

Plugin icon
yet-another-stars-rating
Fixed in 3.4.4

References

CVE
CVE-2023-39305
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
df7337cd-9de1-4ebe-aeab-5c3b81d0e9ed

Timeline

Publicly Published
2023-11-27 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
Hive Support – WordPress Help Desk < 1.1.7 - Missing Authorization
Published
2024-11-18
Title
Contact Page With Google Map <= 1.6.1 - Unauthenticated Arbitrary File Deletion
Published
2025-04-01
Title
Clockinator Lite <= 1.0.7 - Missing Authorization
Published
2026-01-11
Title
WP Popups < 2.2.0.6 - Missing Authorization
Published
2026-04-16
Title
WP Statistics < 14.16.5 - Subscriber+ Sensitive Information Exposure and Privacy Audit Manipulation