WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #50497


Ignore:
Timestamp:
06/28/2020 05:52:57 PM (5 years ago)
Author:
SergeyBiryukov
Comment:

Hi there, welcome to WordPress Trac! Thanks for the ticket.

Please note that this Trac is used for enhancements and bug reporting for the WordPress core software. Any issues on WordPress.org sites, including the plugin or theme ratings, should be reported on https://meta.trac.wordpress.org.

This was already reported in #meta5291.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #50497

    • Property Status changed from new to closed
    • Property Component changed from Posts, Post Types to WordPress.org Site
    • Property Milestone changed from Awaiting Review to
    • Property Keywords needs-testing has-patch removed
    • Property Resolution changed from to reported-upstream
    • Property Severity changed from major to normal

  • Ticket #50497 – Description

    initial v1  
    11Steps To Reproduce:
    22
    3 In WordPress site https://wordpress.org, there are a lot themes uploaded by each vendor. And there is a rating and review form in each theme. In this phrase, the attacker can give review without stars rating although Wordpress enforces to give at least one star.
     3In WordPress site https://wordpress.org, there are a lot themes uploaded by each vendor. And there is a rating and review form in each theme. In this phrase, the attacker can give review without stars rating although WordPress enforces to give at least one star.
    44
    55    When the reviewed form is submitted with any stars, the attacker will intercept the request and can delete rating parameter &rating=5&rating=5.