Vulnerabilities and security researches forstarfish-reviews starfish-reviews

Feb 27, 2026

CVE, Research URL: CVE-2025-15157
Home page URL: Security reports for Starfish Review Generation & Marketing for WordPress
Application: Starfish Review Generation & Marketing for WordPress
Date: Feb 14, 2026
Research Description: The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions: max 3.1.19.
Status: vulnerable

Apr 19, 2025

CVE, Research URL: CVE-2025-39533
Home page URL: Security reports for Starfish Review Generation & Marketing for WordPress
Application: Starfish Review Generation & Marketing for WordPress
Date: Apr 17, 2025
Research Description: Missing Authorization vulnerability in Starfish Reviews Starfish Review Generation & Marketing allows Privilege Escalation. This issue affects Starfish Review Generation & Marketing: from n/a through 3.1.14.
Affected versions: max 3.1.14.
Status: vulnerable

Nov 16, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Starfish Review Generation & Marketing for WordPress
Application: Starfish Review Generation & Marketing for WordPress
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 3.0.26.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: c78cf58c18bd8fbbc5ad9dd991be1a8c9308ff31
Home page URL: Security reports for Starfish Review Generation & Marketing for WordPress
Application: Starfish Review Generation & Marketing for WordPress
Date: Feb 28, 2022
Research Description: Starfish Review Generation & Marketing for WordPress [starfish-reviews] < 3.0.26 WordPress Starfish Review Generation & Marketing for WordPress plugin <= 3.0.25 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Starfish Review Generation & Marketing for WordPress plugin (versions <= 3.0.25).
Affected versions: max 3.0.26.
Status: vulnerable