WordPress.org

Make WordPress Core

#50497 closed defect (bug) (reported-upstream)

can give review in Products without star rating (0 star)

Reported by: kokonaing Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: WordPress.org Site Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Steps To Reproduce:

In WordPress site https://wordpress.org, there are a lot themes uploaded by each vendor. And there is a rating and review form in each theme. In this phrase, the attacker can give review without stars rating although WordPress enforces to give at least one star.

When the reviewed form is submitted with any stars, the attacker will intercept the request and can delete rating parameter &rating=5&rating=5.
After deleting this parameter from request and the attacker can successful rating the products with 0 star. 3.All wordpress site should be worked.

Attachments (1)

worked-0-star.png (96.0 KB) - added by kokonaing 15 months ago.
Here is successful 0 star rating and should be worked in all Wordpress Versions.

Download all attachments as: .zip

Change History (2)

@kokonaing
15 months ago

Here is successful 0 star rating and should be worked in all Wordpress Versions.

#1 @SergeyBiryukov
15 months ago

  • Component changed from Posts, Post Types to WordPress.org Site
  • Description modified (diff)
  • Keywords needs-testing has-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Severity changed from major to normal
  • Status changed from new to closed

Hi there, welcome to WordPress Trac! Thanks for the ticket.

Please note that this Trac is used for enhancements and bug reporting for the WordPress core software. Any issues on WordPress.org sites, including the plugin or theme ratings, should be reported on https://meta.trac.wordpress.org.

This was already reported in #meta5291.

Note: See TracTickets for help on using tickets.