Making WordPress.org

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#5294 closed defect (bug) (duplicate)

can give review in Products without star rating (0 star)

Reported by: kokonaing's profile kokonaing Owned by:
Milestone: Priority: high
Component: WordPress.org Site Keywords: needs-testing needs-patch
Cc:

Description

Steps To Reproduce:

In WordPress site https://wordpress.org, there are a lot themes uploaded
by each vendor. And there is a rating and review form in each theme. In
this phrase, the attacker can give review without stars rating although
WordPress enforces to give at least one star.

When the reviewed form is submitted with any stars, the attacker will

intercept the request and can delete rating parameter &rating=5&rating=5.

After deleting this parameter from request and the attacker can

successful rate the products with 0 star. 3.All wordpress site should be
worked.

Attachments (1)

worked-0-star.png (96.0 KB) - added by kokonaing 4 years ago.
Here is successful 0 star rating and should be worked in all Wordpress Versions.

Download all attachments as: .zip

Change History (5)

@kokonaing
4 years ago

Here is successful 0 star rating and should be worked in all Wordpress Versions.

#1 @Otto42
4 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5291.

#2 @Hareesh Pillai
4 years ago

This was earlier fixed in #5291 for Support Forum rating submissions.
Is it different for Themes?

#3 @Otto42
4 years ago

Nope. Same code, already fixed. The image he posted is old.

#4 @Hareesh Pillai
4 years ago

Thank you for the clarification.

@kokonaing Please reopen this ticket if you are still able to reproduce this at your end.

Note: See TracTickets for help on using tickets.