Making WordPress.org

Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#5294 closed defect (duplicate)

can give review in Products without star rating (0 star)

Reported by: kokonaing Owned by:
Milestone: Priority: high
Component: WordPress.org Site Keywords: needs-testing needs-patch


Steps To Reproduce:

In WordPress site https://wordpress.org, there are a lot themes uploaded
by each vendor. And there is a rating and review form in each theme. In
this phrase, the attacker can give review without stars rating although
WordPress enforces to give at least one star.

When the reviewed form is submitted with any stars, the attacker will

intercept the request and can delete rating parameter &rating=5&rating=5.

After deleting this parameter from request and the attacker can

successful rate the products with 0 star. 3.All wordpress site should be

Attachments (1)

worked-0-star.png (96.0 KB) - added by kokonaing 17 months ago.
Here is successful 0 star rating and should be worked in all Wordpress Versions.

Download all attachments as: .zip

Change History (5)

17 months ago

Here is successful 0 star rating and should be worked in all Wordpress Versions.

#1 @Otto42
17 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5291.

#2 @Hareesh Pillai
17 months ago

This was earlier fixed in #5291 for Support Forum rating submissions.
Is it different for Themes?

#3 @Otto42
17 months ago

Nope. Same code, already fixed. The image he posted is old.

#4 @Hareesh Pillai
17 months ago

Thank you for the clarification.

@kokonaing Please reopen this ticket if you are still able to reproduce this at your end.

Note: See TracTickets for help on using tickets.