Rating-Widget: Star Review System allows anybody to turn on debug mode and view errors and warnings

Vulnerability

Last revised: April 10, 2018

The plugin allows anybody to turn on debug mode and view errors and warnings. Errors and warnings should be turned off on production sites as they reveal information useful to attackers such as paths, and may give hints as to how themes and plugins are written.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	None
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Add 1/0; to functions.php in the theme
Enable this plugin
Visit http://localhost/?rwdbg=true
(You may need to view source, depending on the theme)
You will see a PHP warning, including the path to your functions.php file

Advisory timeline

2017-10-30: Discovered
2017-11-02: Reported to vendor via email
2017-11-03: Vendor reports it will be fixed in the next release
2017-12-12: Vendor reports issue fixed
2018-04-10: Advisory published

Mitigation/further actions

Upgrade to version 2.9.0 or later.

dxw advisories

Advisory: