Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 9 known issues Latest disclosed Apr 30, 2026

YASR – Yet Another Star Rating Plugin for WordPress Vulnerabilities

Q: Which YASR – Yet Another Star Rating Plugin for WordPress CVEs are tracked?

YASR – Yet Another Star Rating Plugin for WordPress tracked CVEs include CVE-2015-9465, CVE-2022-40699, CVE-2022-4974, CVE-2024-13362, and CVE-2023-33999.

Q: How many YASR – Yet Another Star Rating Plugin for WordPress vulnerabilities have patch guidance?

9 of 9 tracked YASR – Yet Another Star Rating Plugin for WordPress records include a published patch path.

Review known vulnerability records for the WordPress plugin YASR – Yet Another Star Rating Plugin for WordPress (`yet-another-stars-rating`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-13362, CVE-2023-39305 and CVE-2023-33999, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 30, 2026

Priority CVE Quick Links

Fast paths into YASR – Yet Another Star Rating Plugin for WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2015-9465 High 0.9.1

CVE-2015-9465 YASR – Yet Another Star Rating Plugin for WordPress SQL Injection

Yasr – Yet Another Stars Rating < 0.9.1 - Authenticated SQL Injection

CVE-2022-40699 Medium 3.1.3

CVE-2022-40699 YASR – Yet Another Star Rating Plugin for WordPress Cross-Site Scripting

Yet Another Stars Rating <= 3.1.2 - Authenticated (Subscriber+) Cross-Site Scripting via Shortcodes

CVE-2022-4974 Medium 2.0.2

CVE-2022-4974 YASR – Yet Another Star Rating Plugin for WordPress Cross-Site Request Forgery

Freemius SDK <= 2.4.2 - Missing Authorization Checks

CVE-2024-13362 Medium 3.4.15

CVE-2024-13362 YASR – Yet Another Star Rating Plugin for WordPress Cross-Site Scripting

Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

CVE-2023-33999 Medium 3.4.2

CVE-2023-33999 YASR – Yet Another Star Rating Plugin for WordPress Cross-Site Scripting

Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

CVE-2023-39305 Medium 3.4.4

CVE-2023-39305 YASR – Yet Another Star Rating Plugin for WordPress Vulnerability

Yet Another Stars Rating <= 3.4.3 - Missing Authorization via init

CVE-2023-37867 Medium 3.3.9

CVE-2023-37867 YASR – Yet Another Star Rating Plugin for WordPress Vulnerability

Yet Another Stars Rating <= 3.3.8 - Missing Authorization to Vote Tampering

CVE-2022-23980 Medium 3.0.0

CVE-2022-23980 YASR – Yet Another Star Rating Plugin for WordPress Cross-Site Scripting

Yasr – Yet Another Stars Rating <= 2.9.9 - Cross-Site Scripting via source

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for YASR – Yet Another Star Rating Plugin for WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

9 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 1 high severity finding.

Recent CVEs

CVE-2024-13362, CVE-2023-39305 and CVE-2023-33999

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2024-13362 Medium Patch path listed

CVE-2024-13362: Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output esca...

Published

Apr 30, 2026

Patch Status

3.4.15

Open CVE-2024-13362 Report

CVE-2023-39305 Medium Patch path listed

CVE-2023-39305: Yet Another Stars Rating <= 3.4.3 - Missing Authorization via init

The Yet Another Stars Rating plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the init function in versions up to, and including, 3.4.3. This...

Published

Nov 27, 2023

Patch Status

3.4.4

Open CVE-2023-39305 Report

CVE-2023-33999 Medium Patch path listed

CVE-2023-33999: Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

The Freemius SDK for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘fs_request_get’ function in versions up to, and including, 2.5.9 due to insufficient input sanitizatio...

Published

Jul 18, 2023

Patch Status

3.4.2

Open CVE-2023-33999 Report

Known Vulnerabilities

Reports for YASR – Yet Another Star Rating Plugin for WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-13362

CVE-2024-13362: Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

Published

Apr 30, 2026

Patched Release

3.4.15

Affected Versions

Versions up to 3.4.12

Next Step

Update to 3.4.15 or newer if supported.

Open CVE-2024-13362 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-39305

CVE-2023-39305: Yet Another Stars Rating <= 3.4.3 - Missing Authorization via init

The Yet Another Stars Rating plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the init function in versions up to, and including, 3.4.3. This makes it possible for unauthenticated attackers to vote on private or nonexistent posts.

Published

Nov 27, 2023

Patched Release

3.4.4

Affected Versions

Versions up to 3.4.3

Next Step

Update to 3.4.4 or newer if supported.

Open CVE-2023-39305 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-33999

CVE-2023-33999: Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

The Freemius SDK for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘fs_request_get’ function in versions up to, and including, 2.5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi...

Published

Jul 18, 2023

Patched Release

3.4.2

Affected Versions

1.4.4 through 3.4.1

Next Step

Update to 3.4.2 or newer if supported.

Open CVE-2023-33999 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-37867

CVE-2023-37867: Yet Another Stars Rating <= 3.3.8 - Missing Authorization to Vote Tampering

The Yet Another Stars Rating plugin for WordPress is vulnerable to vote tampering in versions up to, and including, 3.3.8. This vulnerability can be utilized by unauthenticated users to vote repeatedly.

Published

Jul 10, 2023

Patched Release

3.3.9

Affected Versions

Versions up to 3.3.8

Next Step

Update to 3.3.9 or newer if supported.

Open CVE-2023-37867 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-40699

CVE-2022-40699: Yet Another Stars Rating <= 3.1.2 - Authenticated (Subscriber+) Cross-Site Scripting via Shortcodes

The Yet Another Stars Rating plugin for WordPress is vulnerable to Cross-Site Scripting via shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level to inject arbitrary web scripts in...

Published

Mar 03, 2023

Patched Release

3.1.3

Affected Versions

Versions up to 3.1.2

Next Step

Update to 3.1.3 or newer if supported.

Open CVE-2022-40699 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-4974

CVE-2022-4974: Freemius SDK <= 2.4.2 - Missing Authorization Checks

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in...

Published

Mar 04, 2022

Patched Release

2.0.2

Affected Versions

Versions before 2.0.2

Next Step

Update to 2.0.2 or newer if supported.

Open CVE-2022-4974 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-23980

CVE-2022-23980: Yasr – Yet Another Stars Rating <= 2.9.9 - Cross-Site Scripting via source

Cross-Site Scripting (XSS) vulnerability discovered in Yasr – Yet Another Stars Rating WordPress plugin (versions

Published

Feb 03, 2022

Patched Release

3.0.0

Affected Versions

Versions up to 2.9.9

Next Step

Update to 3.0.0 or newer if supported.

Open CVE-2022-23980 Report Open CVE Reference

Plugin Critical Patched: Yes

Yet Another Stars Rating <= 1.8.6 - Unauthenticated PHP Object Injection

The Yet Another Stars Rating plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.6 via deserialization of untrusted input from the unserialize() function found in the yasr-shortcode-functions.php file. This allows unauthenticated attac...

Published

Jan 27, 2019

Patched Release

1.8.7

Affected Versions

Versions up to 1.8.6

Next Step

Update to 1.8.7 or newer if supported.

Open Full Report

Plugin High Patched: Yes CVE-2015-9465

CVE-2015-9465: Yasr – Yet Another Stars Rating < 0.9.1 - Authenticated SQL Injection

The yet-another-stars-rating plugin before 0.9.1 for WordPress has yasr_get_multi_set_values_and_field SQL injection via the set_id parameter.

Published

Jul 06, 2015

Patched Release

0.9.1

Affected Versions

Versions before 0.9.1

Next Step

Update to 0.9.1 or newer if supported.

Open CVE-2015-9465 Report Open CVE Reference