[wp-hackers] Security Vulnerability found - Forum Post
Mark Jaquith
mark.wordpress at txfx.net
Wed Apr 13 20:17:54 GMT 2005
Matthew Mullenweg wrote:
> denis at semiologic.com wrote:
>
>> - fetch config.php through the file editor
>
>
> Incidentally, we don't allow this.
>
They could still just edit a plugin with code that would spit out the
contents of wp-config.php and then they would have full access to your
database.
This isn't a problem for trusted users... levels 2 and up. But for
"submit a draft only" users, we should be stripping out javascript and
any other dangerous code.
More information about the wp-hackers
mailing list