[wp-trac] [WordPress Trac] #50497: can give review in Products without star rating (0 star)

WordPress Trac noreply at wordpress.org
Sun Jun 28 17:52:58 UTC 2020 

#50497: can give review in Products without star rating (0 star)
--------------------------------+--------------------------------
 Reporter:  kokonaing           |       Owner:  (none)
     Type:  defect (bug)        |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  WordPress.org Site  |     Version:
 Severity:  normal              |  Resolution:  reported-upstream
 Keywords:                      |     Focuses:
--------------------------------+--------------------------------
Changes (by SergeyBiryukov):

 * status:  new => closed
 * component:  Posts, Post Types => WordPress.org Site
 * milestone:  Awaiting Review =>
 * keywords:  needs-testing has-patch =>
 * resolution:   => reported-upstream
 * severity:  major => normal


Old description:

> Steps To Reproduce:
>
> In WordPress site https://wordpress.org, there are a lot themes uploaded
> by each vendor. And there is a rating and review form in each theme. In
> this phrase, the attacker can give review without stars rating although
> Wordpress enforces to give at least one star.
>
>     When the reviewed form is submitted with any stars, the attacker will
> intercept the request and can delete rating parameter &rating=5&rating=5.
>     After deleting this parameter from request and the attacker can
> successful rating the products with 0 star. 3.All wordpress site should
> be worked.

New description:

 Steps To Reproduce:

 In WordPress site https://wordpress.org, there are a lot themes uploaded
 by each vendor. And there is a rating and review form in each theme. In
 this phrase, the attacker can give review without stars rating although
 WordPress enforces to give at least one star.

     When the reviewed form is submitted with any stars, the attacker will
 intercept the request and can delete rating parameter &rating=5&rating=5.
     After deleting this parameter from request and the attacker can
 successful rating the products with 0 star. 3.All wordpress site should be
 worked.

--

Comment:

 Hi there, welcome to WordPress Trac! Thanks for the ticket.

 Please note that this Trac is used for enhancements and bug reporting for
 the WordPress core software. Any issues on WordPress.org sites, including
 the plugin or theme ratings, should be reported on
 https://meta.trac.wordpress.org.

 This was already reported in #meta5291.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50497#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list