Yet Another Stars Rating <= 1.8.6 – PHP Object Injection

An unauthenticated PHP object injection in the "Yasr – Yet Another Stars Rating" WordPress plugin introduces a starting point for RCE and similiar high-severity vulnerabilities. As of 27.01.2019, the plugin has over 20.000 active installations and round about 500.000 downloads. A shortcode provided by the plugin passes Cookie data without any filtering to PHPs unsafe unserialize() function.