[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor
buddypress-trac
noreply at wordpress.org
Sun Jun 14 22:57:26 UTC 2015
#6504: Messages viewable to any logged out visitor
-----------------------------------+-----------------------------
Reporter: CodeMonkeyBanana | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Component - Messaging | Version:
Severity: major | Keywords:
-----------------------------------+-----------------------------
I have noticed when implementing ajax in theme that it is possible to view
anyones messages.
If you navigate to any users profile page and then enter this into
javascript console it will show you the messages for the user you are
viewing:
{{{
jq.post( ajaxurl, { action: 'messages_filter' })
.done(function( data ) {
document.write(data);
});
}}}
I tested on my live site and it worked. I think some extra security check
is needed.
PS. I chose "I am not reporting a security issue" because this isn't a
security issue with wordpress, it is buddypress specific. Was that wrong?
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list