WordPress Plugin Vulnerabilities

Rate My Post – Star Rating Plugin by FeedbackWP < 3.4.5 - Insecure Direct Object Reference

Description

The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to rate private posts.

Affects Plugins

Plugin icon
rate-my-post
Fixed in 3.4.5

References

CVE
CVE-2024-32823
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e679b853-3207-47c9-9cbe-d3ce3826cd00

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kyle Sanchez
Verified
No
WPVDB ID
ed9afc53-8979-4a96-81fd-aa8017c5f04e

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2026-05-27
Title
User Registration & Membership < 5.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter
Published
2025-02-14
Title
RTMKit < 1.6.8 - Authenticated (Contributor+) Insecure Direct Object Reference
Published
2025-10-31
Title
Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via change_candidate_password
Published
2025-06-23
Title
MDJM Event Management <= 1.7.8.2 - Subscriber+ Privilege Escalation
Published
2024-04-15
Title
Login with phone number < 1.7.17 - Unauthorized Account Password Change to Privilege Escalation