Advisory:

Rating-Widget: Star Review System allows anybody to turn on debug mode and view errors and warnings

Vulnerability

Last revised:

The plugin allows anybody to turn on debug mode and view errors and warnings. Errors and warnings should be turned off on production sites as they reveal information useful to attackers such as paths, and may give hints as to how themes and plugins are written.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Add 1/0;┬áto functions.php in the theme
  • Enable this plugin
  • Visit http://localhost/?rwdbg=true
  • (You may need to view source, depending on the theme)
  • You will see a PHP warning, including the path to your functions.php file

Advisory timeline

  • 2017-10-30: Discovered
  • 2017-11-02: Reported to vendor via email
  • 2017-11-03: Vendor reports it will be fixed in the next release
  • 2017-12-12: Vendor reports issue fixed
  • 2018-04-10: Advisory published

Mitigation/further actions

Upgrade to version 2.9.0 or later.