[wp-hackers] Security Vulnerability found - Forum Post

Mark Jaquith mark.wordpress at txfx.net
Wed Apr 13 20:17:54 GMT 2005

Matthew Mullenweg wrote:

> denis at semiologic.com wrote:
>> - fetch config.php through the file editor
> Incidentally, we don't allow this.
They could still just edit a plugin with code that would spit out the 
contents of wp-config.php and then they would have full access to your 

This isn't a problem for trusted users... levels 2 and up.  But for 
"submit a draft only" users, we should be stripping out javascript and 
any other dangerous code.

More information about the wp-hackers mailing list