Refine your search
1 vulnerability found for Rate My Post – Star Rating Plugin by FeedbackWP by properfraction
CVE-2024-12309 (GCVE-0-2024-12309)
Vulnerability from cvelistv5
Published
2024-12-13 08:24
Modified
2026-04-08 17:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| properfraction | Rate My Post – Star Rating Plugin by FeedbackWP |
Version: 0 ≤ 4.2.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T15:59:33.231113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:41:21.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rate My Post \u2013 Star Rating Plugin by FeedbackWP",
"vendor": "properfraction",
"versions": [
{
"lessThanOrEqual": "4.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hay Mizrachi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rate My Post \u2013 Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:21:57.070Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9aa467f-9ac2-4a84-b0bb-761101733af7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3206801/rate-my-post/trunk/public/class-rate-my-post-public.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Rate My Post \u2013 Star Rating Plugin by FeedbackWP \u003c= 4.2.4 - Unauthenticated Voting On Scheduled Posts"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12309",
"datePublished": "2024-12-13T08:24:51.699Z",
"dateReserved": "2024-12-06T15:16:29.232Z",
"dateUpdated": "2026-04-08T17:21:57.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}