Yet Another Stars Rating <= 1.8.6 - PHP Object Injection



Description
An unauthenticated PHP object injection in the "Yasr – Yet Another Stars Rating" WordPress plugin introduces a starting point for RCE and similiar high-severity vulnerabilities. As of 27.01.2019, the plugin has over 20.000 active installations and round about 500.000 downloads. A shortcode provided by the plugin passes Cookie data without any filtering to PHPs unsafe unserialize() function.

Affects Plugin

fixed in version 1.8.7

References

URL https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
URL https://plugins.trac.wordpress.org/changeset/2019911/yet-another-stars-rating/tags/1.8.7/lib/yasr-functions.php

Classification

Type OBJECTINJECTION
OWASP Top 10 A8: Insecure Deserialization
CWE CWE-502

Miscellaneous

Original Researcher Paul Dannewitz
Submitter Paul Dannewitz
Submitter Website https://dannewitz.ninja
Submitter Twitter padannewitz
Views 5736
Verified No
WPVDB ID 9207

Timeline

Publicly Published 2019-01-27 (8 months ago)
Added 2019-01-28 (8 months ago)
Last Updated 2019-01-28 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin