CVE-2024-12309: CWE-639 Authorization Bypass Through User-Controlled Key in collizo4sky Rate My Post – Star Rating Plugin by FeedbackWP
CVE-2024-12309 is a medium severity vulnerability in the Rate My Post – Star Rating Plugin by FeedbackWP for WordPress, affecting all versions up to 4. 2. 4. It is an authorization bypass issue caused by an insecure direct object reference (CWE-639) due to missing validation on a user-controlled key in the get_post_status() function. This flaw allows unauthenticated attackers to vote on unpublished or scheduled posts, which should normally be inaccessible. The vulnerability does not impact confidentiality or availability but can affect the integrity of post ratings. Exploitation requires no authentication or user interaction and can be performed remotely over the network. No known exploits are currently reported in the wild. Organizations using this plugin on WordPress sites should prioritize patching or mitigating this issue to prevent manipulation of content ratings and potential reputational damage.
AI Analysis
Technical Summary
The Rate My Post – Star Rating Plugin by FeedbackWP, widely used in WordPress environments to enable star rating functionality on posts, suffers from an authorization bypass vulnerability identified as CVE-2024-12309. This vulnerability arises from an insecure direct object reference (IDOR), classified under CWE-639, where the plugin fails to properly validate a user-controlled key parameter passed to the get_post_status() function. As a result, unauthenticated attackers can manipulate this parameter to cast votes on posts that are unpublished or scheduled, which should normally be restricted. The flaw exists in all plugin versions up to and including 4.2.4. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although the vulnerability does not expose sensitive data or disrupt service availability, it compromises the integrity of the rating system by allowing unauthorized manipulation of post ratings. This can undermine trust in the content and skew user feedback metrics. No patches or fixes are currently linked, and no exploits have been reported in the wild, but the presence of this vulnerability in a popular WordPress plugin necessitates immediate attention from site administrators.
Potential Impact
The primary impact of CVE-2024-12309 is on the integrity of content ratings within WordPress sites using the affected plugin. Attackers can artificially inflate or deflate ratings on unpublished or scheduled posts, potentially misleading site visitors or administrators about the quality or popularity of content before it is publicly available. This can damage the credibility of the website, distort user feedback mechanisms, and affect decision-making based on rating data. While confidentiality and availability are not directly impacted, the manipulation of ratings could be leveraged in broader disinformation or reputation sabotage campaigns. For organizations relying heavily on user-generated ratings for content promotion or e-commerce, this could translate into financial or reputational losses. The ease of exploitation without authentication increases the likelihood of automated or mass exploitation attempts, particularly on high-traffic WordPress sites.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Rate My Post – Star Rating Plugin to a patched version once it becomes available. In the absence of an official patch, administrators can implement temporary workarounds such as restricting access to the rating functionality via web application firewall (WAF) rules that block suspicious requests targeting the get_post_status() parameter. Additionally, monitoring and logging rating activity on unpublished or scheduled posts can help detect anomalous voting patterns indicative of exploitation. Site owners should also consider disabling the rating feature on unpublished content until a fix is applied. Reviewing and tightening access controls and input validation within custom or third-party plugins can prevent similar IDOR issues. Regular security audits and plugin vulnerability monitoring are recommended to promptly identify and address such risks.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, India, Brazil, Japan, Netherlands
CVE-2024-12309: CWE-639 Authorization Bypass Through User-Controlled Key in collizo4sky Rate My Post – Star Rating Plugin by FeedbackWP
Description
CVE-2024-12309 is a medium severity vulnerability in the Rate My Post – Star Rating Plugin by FeedbackWP for WordPress, affecting all versions up to 4. 2. 4. It is an authorization bypass issue caused by an insecure direct object reference (CWE-639) due to missing validation on a user-controlled key in the get_post_status() function. This flaw allows unauthenticated attackers to vote on unpublished or scheduled posts, which should normally be inaccessible. The vulnerability does not impact confidentiality or availability but can affect the integrity of post ratings. Exploitation requires no authentication or user interaction and can be performed remotely over the network. No known exploits are currently reported in the wild. Organizations using this plugin on WordPress sites should prioritize patching or mitigating this issue to prevent manipulation of content ratings and potential reputational damage.
AI-Powered Analysis
Technical Analysis
The Rate My Post – Star Rating Plugin by FeedbackWP, widely used in WordPress environments to enable star rating functionality on posts, suffers from an authorization bypass vulnerability identified as CVE-2024-12309. This vulnerability arises from an insecure direct object reference (IDOR), classified under CWE-639, where the plugin fails to properly validate a user-controlled key parameter passed to the get_post_status() function. As a result, unauthenticated attackers can manipulate this parameter to cast votes on posts that are unpublished or scheduled, which should normally be restricted. The flaw exists in all plugin versions up to and including 4.2.4. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although the vulnerability does not expose sensitive data or disrupt service availability, it compromises the integrity of the rating system by allowing unauthorized manipulation of post ratings. This can undermine trust in the content and skew user feedback metrics. No patches or fixes are currently linked, and no exploits have been reported in the wild, but the presence of this vulnerability in a popular WordPress plugin necessitates immediate attention from site administrators.
Potential Impact
The primary impact of CVE-2024-12309 is on the integrity of content ratings within WordPress sites using the affected plugin. Attackers can artificially inflate or deflate ratings on unpublished or scheduled posts, potentially misleading site visitors or administrators about the quality or popularity of content before it is publicly available. This can damage the credibility of the website, distort user feedback mechanisms, and affect decision-making based on rating data. While confidentiality and availability are not directly impacted, the manipulation of ratings could be leveraged in broader disinformation or reputation sabotage campaigns. For organizations relying heavily on user-generated ratings for content promotion or e-commerce, this could translate into financial or reputational losses. The ease of exploitation without authentication increases the likelihood of automated or mass exploitation attempts, particularly on high-traffic WordPress sites.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Rate My Post – Star Rating Plugin to a patched version once it becomes available. In the absence of an official patch, administrators can implement temporary workarounds such as restricting access to the rating functionality via web application firewall (WAF) rules that block suspicious requests targeting the get_post_status() parameter. Additionally, monitoring and logging rating activity on unpublished or scheduled posts can help detect anomalous voting patterns indicative of exploitation. Site owners should also consider disabling the rating feature on unpublished content until a fix is applied. Reviewing and tightening access controls and input validation within custom or third-party plugins can prevent similar IDOR issues. Regular security audits and plugin vulnerability monitoring are recommended to promptly identify and address such risks.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-06T15:16:29.232Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e36b7ef31ef0b597da3
Added to database: 2/25/2026, 9:48:38 PM
Last enriched: 2/26/2026, 5:29:19 AM
Last updated: 2/26/2026, 11:11:01 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
HighCVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.