CVE-2026-4301 MEDIUM

CVE-2026-4301: Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter

Vendor Videowhisper
Product Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings
Weakness CWE-862 · Missing authorization
Published May 12, 2026
Last update May 12, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content, author (changed to the attacker's user ID), post_type (changed to the plugin's custom post type, default 'review'), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the 'rating_id' parameter, effectively allowing full post content takeover.

Explanation of Vulnerability in Simple Terms

02Summary

Rate Star Review Vote contains a missing authorization flaw that allows authenticated users to modify review data they should not have access to. An attacker with a low-privilege account can alter or tamper with reviews and ratings submitted by other users. The vulnerability affects all versions up to 1.6.4. Site administrators should update to a version newer than 1.6.4 when available.

What an attacker can do

03Attacker Capabilities

Modify or tamper with reviews and ratings submitted by other users on the site.

Potential impact on your site

04Site Impact

Review integrity is compromised; users cannot trust that ratings and reviews are authentic or unmodified.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated