User ID Manipulation Vulnerability #93
Description
Description:
The WP Ulike (Pro) plugin allows users to upvote items such as posts or comments. However, the user_id parameter sent with the vote request can be manipulated, allowing users to submit votes on behalf of other users. This issue compromises the integrity of the voting system, as it enables standard users to artificially inflate upvotes.
Steps to Reproduce:
- Send a request to upvote a post or comment with the following parameters, including the user_id.
- Observe that the vote counter for the post/comment is increased by one, and the response indicates a successful vote.
- Resend the request while altering the user_id parameter.
- The vote counter is again increased, allowing multiple upvotes from different users, even if unauthorized.
Expected Behavior:
Standard users should not be able to modify or send the user_id parameter in voting requests. The system should automatically assign the logged-in user’s ID to prevent unauthorized voting on behalf of others.
Actual Behavior:
Users can manipulate the user_id parameter and submit upvotes for other users, allowing them to artificially increase the vote count by sending multiple altered requests.
Impact:
This vulnerability undermines the voting system by allowing standard users to fraudulently manipulate upvotes.
Proposed Solution:
Ensure that the user_id is set and validated server-side to match the logged-in user's ID, preventing tampering or modification by the client.
Environment:
WP Ulike (Pro): 4.7.4 (1.8.4)
WordPress version: 6.6.2
PHP: 8.2