CVE-2024-13392
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages via the 'videowhisper_reviews' shortcode. When other users visit pages containing these injected scripts, the scripts execute in their browsers, potentially stealing session cookies, redirecting to malicious sites, or performing actions on behalf of the user. All WordPress sites using the Rate Star Review Vote plugin versions up to 1.6.3 are affected.
💻 Affected Systems
- Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, deface the website, or redirect visitors to phishing/malware sites.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated and no script injection is possible.
🎯 Exploit Status
Exploitation requires authenticated access (contributor role or higher). The vulnerability is in a WordPress plugin with public technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.6.4+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate rate-star-review
Restrict user roles
allRemove contributor role access or limit user registration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in shortcode attributes
- Remove or restrict the 'videowhisper_reviews' shortcode usage across the site
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Rate Star Review Vote' plugin version. If version is 1.6.3 or lower, you are vulnerable.Check Version:
wp plugin get rate-star-review --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.6.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with videowhisper_reviews parameters containing script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript in page responses containing videowhisper_reviews shortcode
SIEM Query:
source="wordpress.log" AND ("videowhisper_reviews" AND ("<script" OR "javascript:" OR "onerror="))