WordPress.org

Making WordPress.org

Opened 9 days ago

Closed 8 days ago

Last modified 8 days ago

#5294 closed defect (duplicate)

can give review in Products without star rating (0 star)

Reported by: kokonaing Owned by:
Milestone: Priority: high
Component: WordPress.org Site Keywords: needs-testing needs-patch
Cc:

Description

Steps To Reproduce:

In WordPress site https://wordpress.org, there are a lot themes uploaded
by each vendor. And there is a rating and review form in each theme. In
this phrase, the attacker can give review without stars rating although
WordPress enforces to give at least one star.

When the reviewed form is submitted with any stars, the attacker will

intercept the request and can delete rating parameter &rating=5&rating=5.

After deleting this parameter from request and the attacker can

successful rate the products with 0 star. 3.All wordpress site should be
worked.

Attachments (1)

worked-0-star.png (96.0 KB) - added by kokonaing 9 days ago.
Here is successful 0 star rating and should be worked in all Wordpress Versions.

Download all attachments as: .zip

Change History (5)

@kokonaing
9 days ago

Here is successful 0 star rating and should be worked in all Wordpress Versions.

#1 @Otto42
8 days ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5291.

#2 @Hareesh Pillai
8 days ago

This was earlier fixed in #5291 for Support Forum rating submissions.
Is it different for Themes?

#3 @Otto42
8 days ago

Nope. Same code, already fixed. The image he posted is old.

#4 @Hareesh Pillai
8 days ago

Thank you for the clarification.

@kokonaing Please reopen this ticket if you are still able to reproduce this at your end.

Note: See TracTickets for help on using tickets.