Title: Vulnerabilities
Last modified: August 20, 2016

---

# Vulnerabilities

 *  [tniessen](https://wordpress.org/support/users/tniessen/)
 * (@tniessen)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/vulnerabilities/)
 * Hello,
 * we have used this plugin for some months now. It is doing a good job on our site
   and is stable.
    I stumbled over two problems today:
    1. This plugin is vulnerable to integer injections: It does not check the POST 
       data in AJAX requests. It is possible to inject huge (both positive and negative)
       ratings through the ‘stars’ parameter.
    2. Your PHP code does not check the AJAX source IP. It just tells the browser not
       to allow rating more often than once. This allows an unlimited number of ratings.
 * Both vulnerabilities allow setting a post’s rating to any value. Combining them
   makes it even easier.
 * Best regards
    tniessen
 * [http://wordpress.org/extend/plugins/kk-star-ratings/](http://wordpress.org/extend/plugins/kk-star-ratings/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [tniessen](https://wordpress.org/support/users/tniessen/)
 * (@tniessen)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/vulnerabilities/#post-3478283)
 * Thanks for fixing #1! But I think it is still possible to rate an article several
   times from a single IP address:
    `curl --data "action=kksr_ajax&id=$POST_ID&stars
   =$STARS&_wpnonce=$NONCE" $BLOG_URL/wp-admin/admin-ajax.php`
 *  Plugin Contributor [Kamal Khan](https://wordpress.org/support/users/bhittani/)
 * (@bhittani)
 * [13 years ago](https://wordpress.org/support/topic/vulnerabilities/#post-3478284)
 * I don’t think so. I will dry run it again to check.
 * What is happening right now is that the ip is stored in the db as an array. If
   you try posting multiple times, it will fail because it will already find the
   ip in the array.
 *  Plugin Contributor [Kamal Khan](https://wordpress.org/support/users/bhittani/)
 * (@bhittani)
 * [13 years ago](https://wordpress.org/support/topic/vulnerabilities/#post-3478285)
 * okay, you are right. I thought of adding the check, but realize that it went 
   passed my head and was not implemented.
 * Will be releasing a fix shortly.
 * Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Vulnerabilities’ is closed to new replies.

 * ![](https://ps.w.org/kk-star-ratings/assets/icon-256x256.jpg?rev=2140680)
 * [kk Star Ratings - Rate Post & Collect User Feedbacks](https://wordpress.org/plugins/kk-star-ratings/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/kk-star-ratings/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/kk-star-ratings/)
 * [Active Topics](https://wordpress.org/support/plugin/kk-star-ratings/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/kk-star-ratings/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/kk-star-ratings/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [Kamal Khan](https://wordpress.org/support/users/bhittani/)
 * Last activity: [13 years ago](https://wordpress.org/support/topic/vulnerabilities/#post-3478285)
 * Status: not resolved