CVE-2021-25117

Name of the Vulnerable Software and Affected Versions WP-PostRatings WordPress plugin versions prior to 1.86.1

Description The issue is related to the WP-PostRatings WordPress plugin and involves a lack of sanitization of the postratings image parameter from its options page, specifically at the endpoint "wp-admin/admin.php?page=wp-postratings/postratings-options.php". Although this page is only accessible to administrators and is protected against CSRF attacks, the problem can still be exploited when the unfiltered html capability is disabled. This could potentially allow a remote attacker to perform a CSRF attack.

Recommendations For WP-PostRatings WordPress plugin versions prior to 1.86.1, update to version 1.86.1 or later to resolve the issue. As a temporary workaround, consider disabling the postratings image parameter in the affected options page until a patch is available. Restrict access to the options page "wp-admin/admin.php?page=wp-postratings/postratings-options.php" to minimize the risk of exploitation. Avoid using the postratings image parameter in the affected endpoint until the issue is resolved.