[wp-hackers] Critical WP Flaw?
Ryan Boren
ryan at boren.nu
Thu Jul 27 08:32:45 GMT 2006
Ryan Boren wrote:
> Computer Guru wrote:
>>> Neither does asking about it on mailing lists and forums or reposting
>>> with links on your own blogs, but they seem to be the popular things to
>>> do these days.
>>
>> I agree with the latter, but I'm not asking for full disclosure here
>> in the mailing list, I just want 1) Confirmation that it's not BS
>
> See my previous. The problem is with plugins that don't check caps.
To clarify, there was a small WP problem with
user_can_access_admin_page(). Pages registered in add_submenu() weren't
always getting the registered cap checked. However, most of the plugin
problems I've seen have related to unprotected action handlers, not menu
pages. Regardless, 2.0.4 beta fixes user_can_access_admin_page().
Plugins need to be sure to put current_user_can() checks wherever access
control is needed. I think some authors were assuming that WP checks
for them. It does not. WP doesn't know what user level/capability the
various parts of a plugin require. An audit of plugins shows that some
plugins have been making this assumption for a long, long time.
Ryan
More information about the wp-hackers
mailing list