Medium
resolved
resolved
Race condition on add 1 free domain
Bug reported by ASC Lages was disclosed at May 9, 2025, 6:59 pm | Business Logic Errors
A race condition vulnerability was discovered on the Gravatar platform, which allowed users to bypass the limitation of claiming only one free custom domain. The vulnerability was triggered by creating multiple parallel requests to the public-api.wordpress.com endpoint, where the "meta" parameter was modified, leading to the acquisition of more than one free domain.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
