CVE-2026-4301 Overview
CVE-2026-4301 is a Missing Authorization vulnerability [CWE-862] in the Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress, affecting all versions up to and including 1.6.4. The flaw resides in the vwrsr_review() AJAX handler, which lacks capability checks and nonce verification. Authenticated attackers with Subscriber-level access or higher can manipulate the rating_id GET parameter to overwrite arbitrary posts and pages. The attack modifies post title, content, author, post type, and metadata, enabling full post content takeover across the WordPress site.
Critical Impact
Subscriber-level authenticated attackers can take over and overwrite arbitrary WordPress posts and pages, including those owned by administrators.
Affected Products
- Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress
- All plugin versions up to and including 1.6.4
- WordPress sites with this plugin installed and user registration enabled
Discovery Timeline
- 2026-05-12 - CVE-2026-4301 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4301
Vulnerability Analysis
The vulnerability stems from inadequate access control in the vwrsr_review() AJAX handler registered by the plugin. The function relies solely on an is_user_logged_in() check, omitting both current_user_can() capability verification and wp_verify_nonce() request validation. This allows any authenticated user, including the lowest-privileged Subscriber role, to invoke the handler with arbitrary parameters.
When the form parameter is set to update, the handler accepts a user-supplied rating_id GET parameter. It treats this value as the target post ID and passes it directly to wp_update_post() without ownership validation. The resulting update overwrites the target post's title, content, author (set to the attacker's user ID), post_type (changed to the plugin's review custom post type), and post status.
At lines 758-763 of rate-star-review.php, update_post_meta() is additionally invoked against the attacker-controlled post ID, allowing modification of arbitrary post metadata.
Root Cause
The root cause is Missing Authorization [CWE-862]. The plugin treats authentication as equivalent to authorization, failing to verify that the requesting user has permission to edit the targeted post. WordPress requires explicit capability checks such as edit_post for state-changing operations on arbitrary content.
Attack Vector
An attacker registers or uses an existing Subscriber-level account. The attacker sends an authenticated AJAX request to admin-ajax.php with action=vwrsr_review, form=update, and rating_id set to the target post or page ID. The plugin processes the request and overwrites the target content with attacker-supplied values. No user interaction from the victim is required.
References to the vulnerable code paths are available in the WordPress Plugin Code Line 730, Line 754, and Line 758 trac entries.
Detection Methods for CVE-2026-4301
Indicators of Compromise
- POST or GET requests to /wp-admin/admin-ajax.php containing action=vwrsr_review combined with form=update and a rating_id parameter referencing non-review post IDs.
- WordPress posts or pages whose post_type has unexpectedly changed to review or whose post_author no longer matches the original creator.
- Unexpected entries in wp_postmeta for posts that are not part of the review plugin's intended workflow.
Detection Strategies
- Monitor WordPress audit logs for wp_update_post events originating from Subscriber-level accounts targeting posts they do not own.
- Inspect web server access logs for query strings containing vwrsr_review paired with numeric rating_id values that map to published pages or core posts.
- Compare current post titles, content hashes, and authors against backup snapshots to identify unauthorized rewrites.
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php requests and alert on high-volume calls to the vwrsr_review action from a single account.
- Track changes to post_type and post_author fields in the wp_posts table using database triggers or a security plugin.
- Review the Wordfence Vulnerability Report for additional detection guidance and signature data.
How to Mitigate CVE-2026-4301
Immediate Actions Required
- Update the Rate Star Review Vote plugin to a version newer than 1.6.4 once a patched release is published by the vendor.
- If no patched version is available, deactivate and remove the plugin from all affected WordPress sites.
- Audit user accounts and remove unused Subscriber-level accounts, and disable open user registration if not required.
- Restore any modified posts or pages from a known-good backup and reset affected post authors.
Patch Information
At the time of publication, no fixed version is identified in the NVD record. Administrators should monitor the plugin page on WordPress.org and the Wordfence Vulnerability Report for patch availability. Until a fix ships, removal of the plugin is the most reliable remediation.
Workarounds
- Block requests to admin-ajax.php where the action parameter equals vwrsr_review at the web application firewall (WAF) layer.
- Restrict the wp-admin directory using HTTP authentication or IP allowlisting for non-administrative users.
- Disable new user registration in WordPress settings to reduce the pool of potential Subscriber-level attackers.
# Example WAF rule (ModSecurity) to block exploitation attempts
SecRule ARGS:action "@streq vwrsr_review" \
"id:1002026,\
phase:2,\
deny,\
status:403,\
chain,\
msg:'CVE-2026-4301 Rate Star Review unauthorized update attempt'"
SecRule ARGS:form "@streq update"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
