Vulnerabilites related to lesterchan - wp-postratings
CVE-2021-25117 (GCVE-0-2021-25117)
Vulnerability from cvelistv5
Published
2024-01-16 15:49
Modified
2025-06-17 14:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WP-PostRatings |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:56:10.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-25117",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:08:41.574292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:09:11.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "WP-PostRatings",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.86.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Park Won Seok"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T15:49:22.142Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Postratings \u003c 1.86.1 - Admin+ Stored Cross-Site Scripting",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25117",
"datePublished": "2024-01-16T15:49:22.142Z",
"dateReserved": "2021-01-14T15:03:46.870Z",
"dateUpdated": "2025-06-17T14:09:11.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39659 (GCVE-0-2024-39659)
Vulnerability from cvelistv5
Published
2024-08-01 21:45
Modified
2024-08-02 14:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Stored XSS.This issue affects WP-PostRatings: from n/a through 1.91.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lester ‘GaMerZ’ Chan | WP-PostRatings |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:49:23.572900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:49:39.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-postratings",
"product": "WP-PostRatings",
"vendor": "Lester \u2018GaMerZ\u2019 Chan",
"versions": [
{
"changes": [
{
"at": "1.91.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.91.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "stealthcopter (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Stored XSS.\u003cp\u003eThis issue affects WP-PostRatings: from n/a through 1.91.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Stored XSS.This issue affects WP-PostRatings: from n/a through 1.91.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:10.909Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.91.2 or a higher version."
}
],
"value": "Update to 1.91.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-PostRatings plugin \u003c= 1.91.1 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-39659",
"datePublished": "2024-08-01T21:45:10.909Z",
"dateReserved": "2024-06-26T21:19:18.994Z",
"dateUpdated": "2024-08-02T14:49:39.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-10006 (GCVE-0-2011-10006)
Vulnerability from cvelistv5
Published
2024-04-08 13:00
Modified
2024-08-07 00:30
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting
Summary
A vulnerability was found in GamerZ WP-PostRatings up to 1.64. It has been classified as problematic. This affects an unknown part of the file wp-postratings.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.65 is able to address this issue. The identifier of the patch is 6182a5682b12369ced0becd3b505439ce2eb8132. It is recommended to upgrade the affected component. The identifier VDB-259629 was assigned to this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GamerZ | WP-PostRatings |
Version: 1.0 Version: 1.1 Version: 1.2 Version: 1.3 Version: 1.4 Version: 1.5 Version: 1.6 Version: 1.7 Version: 1.8 Version: 1.9 Version: 1.10 Version: 1.11 Version: 1.12 Version: 1.13 Version: 1.14 Version: 1.15 Version: 1.16 Version: 1.17 Version: 1.18 Version: 1.19 Version: 1.20 Version: 1.21 Version: 1.22 Version: 1.23 Version: 1.24 Version: 1.25 Version: 1.26 Version: 1.27 Version: 1.28 Version: 1.29 Version: 1.30 Version: 1.31 Version: 1.32 Version: 1.33 Version: 1.34 Version: 1.35 Version: 1.36 Version: 1.37 Version: 1.38 Version: 1.39 Version: 1.40 Version: 1.41 Version: 1.42 Version: 1.43 Version: 1.44 Version: 1.45 Version: 1.46 Version: 1.47 Version: 1.48 Version: 1.49 Version: 1.50 Version: 1.51 Version: 1.52 Version: 1.53 Version: 1.54 Version: 1.55 Version: 1.56 Version: 1.57 Version: 1.58 Version: 1.59 Version: 1.60 Version: 1.61 Version: 1.62 Version: 1.63 Version: 1.64 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2011-10006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:28:10.894549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:37.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:30:46.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-259629 | GamerZ WP-PostRatings wp-postratings.php cross site scripting",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.259629"
},
{
"name": "VDB-259629 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.259629"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/dcc68d03693152eba14d6fb33ba42528ff60e06a"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/6182a5682b12369ced0becd3b505439ce2eb8132"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/wp-plugins/wp-postratings/releases/tag/1.65"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP-PostRatings",
"vendor": "GamerZ",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.1"
},
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.5"
},
{
"status": "affected",
"version": "1.6"
},
{
"status": "affected",
"version": "1.7"
},
{
"status": "affected",
"version": "1.8"
},
{
"status": "affected",
"version": "1.9"
},
{
"status": "affected",
"version": "1.10"
},
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.12"
},
{
"status": "affected",
"version": "1.13"
},
{
"status": "affected",
"version": "1.14"
},
{
"status": "affected",
"version": "1.15"
},
{
"status": "affected",
"version": "1.16"
},
{
"status": "affected",
"version": "1.17"
},
{
"status": "affected",
"version": "1.18"
},
{
"status": "affected",
"version": "1.19"
},
{
"status": "affected",
"version": "1.20"
},
{
"status": "affected",
"version": "1.21"
},
{
"status": "affected",
"version": "1.22"
},
{
"status": "affected",
"version": "1.23"
},
{
"status": "affected",
"version": "1.24"
},
{
"status": "affected",
"version": "1.25"
},
{
"status": "affected",
"version": "1.26"
},
{
"status": "affected",
"version": "1.27"
},
{
"status": "affected",
"version": "1.28"
},
{
"status": "affected",
"version": "1.29"
},
{
"status": "affected",
"version": "1.30"
},
{
"status": "affected",
"version": "1.31"
},
{
"status": "affected",
"version": "1.32"
},
{
"status": "affected",
"version": "1.33"
},
{
"status": "affected",
"version": "1.34"
},
{
"status": "affected",
"version": "1.35"
},
{
"status": "affected",
"version": "1.36"
},
{
"status": "affected",
"version": "1.37"
},
{
"status": "affected",
"version": "1.38"
},
{
"status": "affected",
"version": "1.39"
},
{
"status": "affected",
"version": "1.40"
},
{
"status": "affected",
"version": "1.41"
},
{
"status": "affected",
"version": "1.42"
},
{
"status": "affected",
"version": "1.43"
},
{
"status": "affected",
"version": "1.44"
},
{
"status": "affected",
"version": "1.45"
},
{
"status": "affected",
"version": "1.46"
},
{
"status": "affected",
"version": "1.47"
},
{
"status": "affected",
"version": "1.48"
},
{
"status": "affected",
"version": "1.49"
},
{
"status": "affected",
"version": "1.50"
},
{
"status": "affected",
"version": "1.51"
},
{
"status": "affected",
"version": "1.52"
},
{
"status": "affected",
"version": "1.53"
},
{
"status": "affected",
"version": "1.54"
},
{
"status": "affected",
"version": "1.55"
},
{
"status": "affected",
"version": "1.56"
},
{
"status": "affected",
"version": "1.57"
},
{
"status": "affected",
"version": "1.58"
},
{
"status": "affected",
"version": "1.59"
},
{
"status": "affected",
"version": "1.60"
},
{
"status": "affected",
"version": "1.61"
},
{
"status": "affected",
"version": "1.62"
},
{
"status": "affected",
"version": "1.63"
},
{
"status": "affected",
"version": "1.64"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in GamerZ WP-PostRatings up to 1.64. It has been classified as problematic. This affects an unknown part of the file wp-postratings.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.65 is able to address this issue. The identifier of the patch is 6182a5682b12369ced0becd3b505439ce2eb8132. It is recommended to upgrade the affected component. The identifier VDB-259629 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in GamerZ WP-PostRatings bis 1.64 ausgemacht. Sie wurde als problematisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei wp-postratings.php. Durch das Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Ein Aktualisieren auf die Version 1.65 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 6182a5682b12369ced0becd3b505439ce2eb8132 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-08T13:00:05.786Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-259629 | GamerZ WP-PostRatings wp-postratings.php cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.259629"
},
{
"name": "VDB-259629 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.259629"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/dcc68d03693152eba14d6fb33ba42528ff60e06a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/6182a5682b12369ced0becd3b505439ce2eb8132"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/releases/tag/1.65"
}
],
"timeline": [
{
"lang": "en",
"time": "2011-02-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2011-02-17T00:00:00.000Z",
"value": "Countermeasure disclosed"
},
{
"lang": "en",
"time": "2024-04-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-04-07T11:46:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "GamerZ WP-PostRatings wp-postratings.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2011-10006",
"datePublished": "2024-04-08T13:00:05.786Z",
"dateReserved": "2024-04-07T09:40:51.546Z",
"dateUpdated": "2024-08-07T00:30:46.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40332 (GCVE-0-2023-40332)
Vulnerability from cvelistv5
Published
2024-06-04 07:18
Modified
2024-08-02 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-799 - Improper Control of Interaction Frequency
Summary
Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lester ‘GaMerZ’ Chan | WP-PostRatings |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lesterchan:wp-postratings:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "wp-postratings",
"vendor": "lesterchan",
"versions": [
{
"lessThanOrEqual": "1.91",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:59:04.339119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T20:00:38.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-postratings",
"product": "WP-PostRatings",
"vendor": "Lester \u2018GaMerZ\u2019 Chan",
"versions": [
{
"changes": [
{
"at": "1.91.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.91",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.\u003cp\u003eThis issue affects WP-PostRatings: from n/a through 1.91.\u003c/p\u003e"
}
],
"value": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799 Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T07:18:30.124Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.91.1 or a higher version."
}
],
"value": "Update to 1.91.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-PostRatings plugin \u003c= 1.91 - Rating limit Bypass vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40332",
"datePublished": "2024-06-04T07:18:30.124Z",
"dateReserved": "2023-08-14T14:47:15.113Z",
"dateUpdated": "2024-08-02T18:31:53.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4646 (GCVE-0-2011-4646)
Vulnerability from cvelistv5
Published
2011-11-30 19:00
Modified
2024-09-16 23:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076&old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php | x_refsource_CONFIRM | |
| http://wordpress.org/extend/plugins/wp-postratings/changelog/ | x_refsource_CONFIRM | |
| http://secunia.com/advisories/46328 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/49986 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:19.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wordpress.org/extend/plugins/wp-postratings/changelog/"
},
{
"name": "46328",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46328"
},
{
"name": "49986",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/49986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-11-30T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wordpress.org/extend/plugins/wp-postratings/changelog/"
},
{
"name": "46328",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46328"
},
{
"name": "49986",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/49986"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php",
"refsource": "CONFIRM",
"url": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php"
},
{
"name": "http://wordpress.org/extend/plugins/wp-postratings/changelog/",
"refsource": "CONFIRM",
"url": "http://wordpress.org/extend/plugins/wp-postratings/changelog/"
},
{
"name": "46328",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46328"
},
{
"name": "49986",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/49986"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4646",
"datePublished": "2011-11-30T19:00:00Z",
"dateReserved": "2011-11-30T00:00:00Z",
"dateUpdated": "2024-09-16T23:51:44.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-01-16 16:15
Modified
2025-06-17 14:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lesterchan | wp-postratings | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "28B896C6-D8D0-4B5D-8B36-244EBDF8FEA9",
"versionEndExcluding": "1.86.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled."
},
{
"lang": "es",
"value": "El complemento de WordPress WP-PostRatings anterior a 1.86.1 no sanitiza el par\u00e1metro postratings_image de su p\u00e1gina de opciones (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Aunque solo los administradores pueden acceder a la p\u00e1gina y est\u00e1 protegida contra ataques CSRF, el problema a\u00fan se puede explotar cuando la capacidad unfiltered_html est\u00e1 deshabilitada."
}
],
"id": "CVE-2021-25117",
"lastModified": "2025-06-17T14:15:26.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-16T16:15:09.213",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-08 13:15
Modified
2025-04-11 12:51
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability was found in GamerZ WP-PostRatings up to 1.64. It has been classified as problematic. This affects an unknown part of the file wp-postratings.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.65 is able to address this issue. The identifier of the patch is 6182a5682b12369ced0becd3b505439ce2eb8132. It is recommended to upgrade the affected component. The identifier VDB-259629 was assigned to this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lesterchan | wp-postratings | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D0BBFEBA-041A-461D-8547-A01254B6F12D",
"versionEndExcluding": "1.65",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in GamerZ WP-PostRatings up to 1.64. It has been classified as problematic. This affects an unknown part of the file wp-postratings.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.65 is able to address this issue. The identifier of the patch is 6182a5682b12369ced0becd3b505439ce2eb8132. It is recommended to upgrade the affected component. The identifier VDB-259629 was assigned to this vulnerability."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en GamerZ WP-PostRatings hasta 1.64. Ha sido clasificada como problem\u00e1tica. Una parte desconocida del archivo wp-postratings.php afecta a esta vulnerabilidad. La manipulaci\u00f3n conduce a cross site scripting. Es posible iniciar el ataque de forma remota. La actualizaci\u00f3n a la versi\u00f3n 1.65 puede solucionar este problema. El identificador del parche es 6182a5682b12369ced0becd3b505439ce2eb8132. Se recomienda actualizar el componente afectado. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-259629."
}
],
"id": "CVE-2011-10006",
"lastModified": "2025-04-11T12:51:20.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-08T13:15:07.680",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/6182a5682b12369ced0becd3b505439ce2eb8132"
},
{
"source": "cna@vuldb.com",
"tags": [
"Patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/dcc68d03693152eba14d6fb33ba42528ff60e06a"
},
{
"source": "cna@vuldb.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/wp-plugins/wp-postratings/releases/tag/1.65"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.259629"
},
{
"source": "cna@vuldb.com",
"tags": [
"VDB Entry",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.259629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/6182a5682b12369ced0becd3b505439ce2eb8132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wp-plugins/wp-postratings/commit/dcc68d03693152eba14d6fb33ba42528ff60e06a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/wp-plugins/wp-postratings/releases/tag/1.65"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.259629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.259629"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@vuldb.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-04 08:15
Modified
2025-04-03 00:27
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lesterchan | wp-postratings | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3B156C6F-960B-4643-816F-89732AE99AFB",
"versionEndExcluding": "1.91.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91."
},
{
"lang": "es",
"value": "La vulnerabilidad de control inadecuado de la frecuencia de interacci\u00f3n en Lester \u0027GaMerZ\u0027 Chan WP-PostRatings permite un uso indebido de la funcionalidad. Este problema afecta a WP-PostRatings: desde n/a hasta 1.91."
}
],
"id": "CVE-2023-40332",
"lastModified": "2025-04-03T00:27:22.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-04T08:15:09.337",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-799"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-11-30 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lesterchan | wp-postratings | 1.50 | |
| lesterchan | wp-postratings | 1.61 | |
| wordpress | wordpress | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:1.50:*:*:*:*:*:*:*",
"matchCriteriaId": "77C739F6-C5F1-4B4D-847D-35E2677112E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:1.61:*:*:*:*:*:*:*",
"matchCriteriaId": "0F66FC80-F08F-4CEF-B53D-799CD6D6661A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
"matchCriteriaId": "847DA578-4655-477E-8A6F-99FBE738E4F9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en wp-postratings.php del complemento WP-PostRatings 1.50, 1.61 y problablemente otras versiones anteriores a la 1.62 de WordPress. Permite a usuarios remotos autenticados con el perfil de autor ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del atributo id del c\u00f3digo de evaluaci\u00f3n (\"ratings shortcode\") al crear un post. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n procedente de terceras partes."
}
],
"id": "CVE-2011-4646",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-11-30T19:55:00.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46328"
},
{
"source": "cve@mitre.org",
"url": "http://wordpress.org/extend/plugins/wp-postratings/changelog/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/49986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://plugins.trac.wordpress.org/changeset/430970/wp-postratings/trunk/wp-postratings.php?old=355076\u0026old_path=wp-postratings%2Ftrunk%2Fwp-postratings.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wordpress.org/extend/plugins/wp-postratings/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/49986"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 22:15
Modified
2025-03-31 18:22
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Stored XSS.This issue affects WP-PostRatings: from n/a through 1.91.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lesterchan | wp-postratings | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lesterchan:wp-postratings:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5EA6E94C-D573-4295-B148-4DA3410472BF",
"versionEndExcluding": "1.91.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Stored XSS.This issue affects WP-PostRatings: from n/a through 1.91.1."
},
{
"lang": "es",
"value": " La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o \u0027Cross-site Scripting\u0027) en Lester \u0027GaMerZ\u0027 Chan WP-PostRatings permite XSS almacenado. Este problema afecta a WP-PostRatings: desde n/a hasta 1.91.1."
}
],
"id": "CVE-2024-39659",
"lastModified": "2025-03-31T18:22:48.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T22:15:27.060",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}