CVE-2026-4301: CWE-862 Missing Authorization in videowhisper Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings
The Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings WordPress plugin up to version 1. 6. 4 suffers from a missing authorization vulnerability. The AJAX handler vwrsr_review() does not properly verify user capabilities or nonces, relying only on a logged-in user check. This allows authenticated users with Subscriber-level access or higher to modify arbitrary posts by manipulating the 'rating_id' parameter. Attackers can overwrite post title, content, author, post type, and metadata, effectively taking over post content on the site.
AI Analysis
Technical Summary
CVE-2026-4301 describes a missing authorization vulnerability (CWE-862) in the Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings WordPress plugin (up to version 1.6.4). The AJAX handler vwrsr_review() lacks capability checks and nonce verification, only confirming the user is logged in. When the 'form' parameter is 'update', the handler uses the user-supplied 'rating_id' GET parameter as a post ID and passes it to wp_update_post() and update_post_meta() without proper authorization. This enables authenticated users with low privileges (Subscriber-level) to modify arbitrary posts and pages, including changing title, content, author, post type, and metadata, resulting in full post content takeover.
Potential Impact
Authenticated users with Subscriber-level access or higher can modify arbitrary posts and pages on the affected WordPress site. This includes changing the post's title, content, author, post type, and metadata. Such unauthorized modifications can lead to content integrity loss, potential privilege escalation via author changes, and site defacement or misinformation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict plugin usage to trusted users only or disable the plugin if possible. Monitor for updates from the vendor or plugin maintainers to apply an official fix once available.
CVE-2026-4301: CWE-862 Missing Authorization in videowhisper Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings
Description
The Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings WordPress plugin up to version 1. 6. 4 suffers from a missing authorization vulnerability. The AJAX handler vwrsr_review() does not properly verify user capabilities or nonces, relying only on a logged-in user check. This allows authenticated users with Subscriber-level access or higher to modify arbitrary posts by manipulating the 'rating_id' parameter. Attackers can overwrite post title, content, author, post type, and metadata, effectively taking over post content on the site.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4301 describes a missing authorization vulnerability (CWE-862) in the Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings WordPress plugin (up to version 1.6.4). The AJAX handler vwrsr_review() lacks capability checks and nonce verification, only confirming the user is logged in. When the 'form' parameter is 'update', the handler uses the user-supplied 'rating_id' GET parameter as a post ID and passes it to wp_update_post() and update_post_meta() without proper authorization. This enables authenticated users with low privileges (Subscriber-level) to modify arbitrary posts and pages, including changing title, content, author, post type, and metadata, resulting in full post content takeover.
Potential Impact
Authenticated users with Subscriber-level access or higher can modify arbitrary posts and pages on the affected WordPress site. This includes changing the post's title, content, author, post type, and metadata. Such unauthorized modifications can lead to content integrity loss, potential privilege escalation via author changes, and site defacement or misinformation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict plugin usage to trusted users only or disable the plugin if possible. Monitor for updates from the vendor or plugin maintainers to apply an official fix once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-16T20:01:00.547Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a02e308cbff5d8610bad06a
Added to database: 5/12/2026, 8:21:28 AM
Last enriched: 5/12/2026, 8:52:35 AM
Last updated: 5/12/2026, 9:50:11 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.