WordPress Yet Another Stars Rating Plugin <= 3.3.8 is vulnerable to Race Condition
CVE-2023-37867

8.1HIGH

Key Information:

Vendor: Wordpress
Status: YASR – Yet Another Star Rating Plugin for WordPress
Vendor: CVE Published:; 30 November 2023

Summary

The Yet Another Star Rating Plugin for WordPress is affected by a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. This flaw allows an attacker to exploit the time gap between verifying a required condition and subsequently using the result, potentially leading to unauthorized actions or data manipulation. This impacts all versions from n/a up to 3.3.8, posing security risks for WordPress sites utilizing this plugin.

Affected Version(s)

YASR – Yet Another Star Rating Plugin for WordPress <= 3.3.8

References

https://patchstack.com/database/vulnerability/yet-another...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Jul 10, 2023

Credit

Abdi Pranata (Patchstack Alliance)