Plugin inspection:

Rating-Widget: Star Review System

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

This recommendation applies to version 2.8.9 of this plugin, but the most recent version is 3.0.1. These findings may no longer be correct.

Findings

  • At over 32,000 lines of PHP this is an extremely large plugin meaning we won’t get to read as much of the codebase as we would for a smaller plugin
  • Adding ?rwdbg=true to any URL will set the following options, which should never happen on a production site as it will give attackers a lot of useful information:
    • error_reporting( E_ALL );
    • ini_set( 'error_reporting', E_ALL );
    • ini_set( 'display_errors', true );
    • ini_set( 'html_errors', true );
  • Communicates with rating-widget.com via HTTP, allowing interception and modification by MITM

Reason for the 'Use with caution' result

The plugin has been given this recommendation at the tester's discretion:

Failure criteria

  • Very large codebase

Read more about our failure criteria.