Skip to:
Content

Opened 4 years ago

Closed 4 years ago

#2289 closed defect (bug) (fixed)

Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]

Reported by: rvenable Owned by:
Milestone: 1.2.4 Priority: major
Severity: Version:
Component: Core Keywords: has-patch
Cc:

Description

I have a function hooked onto the 'bp_signup_validate' action in which I validate user signups. It works correctly when going through the normal signup steps, but somehow spammers are able to create accounts that aren't validated by the 'bp_signup_validate' action.

I'm not sure how they are doing it exactly, but I did find some code in bp-core-signup that appears to provide a hole for spammers. The bp_core_wpsignup_redirect() function calls wp_redirect to redirect from wp-signup.php to the BP register page, but it doesn't call die() after redirect, so it would appear that the wp-signup.php code would still get executed. The correct function to call would be bp_core_redirect() (see attached patch) or at least call die() after wp_redirect().

Attachments (1)

signup.diff (591 bytes) - added by rvenable 4 years ago.

Download all attachments as: .zip

Change History (2)

rvenable4 years ago

comment:1 johnjamesjacoby4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2930]) Fixes #2289 props rvenable

Note: See TracTickets for help on using tickets.