Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]
|Reported by:||rvenable||Owned by:|
I have a function hooked onto the 'bp_signup_validate' action in which I validate user signups. It works correctly when going through the normal signup steps, but somehow spammers are able to create accounts that aren't validated by the 'bp_signup_validate' action.
I'm not sure how they are doing it exactly, but I did find some code in bp-core-signup that appears to provide a hole for spammers. The bp_core_wpsignup_redirect() function calls wp_redirect to redirect from wp-signup.php to the BP register page, but it doesn't call die() after redirect, so it would appear that the wp-signup.php code would still get executed. The correct function to call would be bp_core_redirect() (see attached patch) or at least call die() after wp_redirect().