Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic.
If you do <a href=”#” class=”userpro-button secondary userpro-follow notfollowing” data-follow-text=”Follow” data-unfollow-text=”Unfollow” data-following-text=”Following” data-follow-to=”1″ data-follow-from=”119″>
editing your id and pressing Follow
data-follow-from
You can add follower to anyone!
Really great catch!
Just tested this out and I can indeed ‘fake’ a ‘follow’ from one user to another.
This should really be processed with ajax nonce or something?
But this is only processed via ajax. How would you edit the html?
You can edit in the html to change for example this:-
To this
Then the user with the ID of 2 will will be following that user instead of the current logged in user.
Is data-follow-from set by using something like get_current_user_id?
Of course to exploit this someone needs to know the user ID of people they want to make follow them, but it’s still possible.
You must be logged in to reply to this topic.