[wp-hackers] Critical WP Flaw?

Ryan Boren ryan at boren.nu
Thu Jul 27 08:32:45 GMT 2006

Ryan Boren wrote:
> Computer Guru wrote:
>>> Neither does asking about it on mailing lists and forums or reposting
>>> with links on your own blogs, but they seem to be the popular things to
>>> do these days.
>> I agree with the latter, but I'm not asking for full disclosure here 
>> in the mailing list, I just want 1) Confirmation that it's not BS
> See my previous.  The problem is with plugins that don't check caps.

To clarify, there was a small WP problem with 
user_can_access_admin_page().  Pages registered in add_submenu() weren't 
always getting the registered cap checked.  However, most of the plugin 
problems I've seen have related to unprotected action handlers, not menu 
pages.  Regardless, 2.0.4 beta fixes user_can_access_admin_page().

Plugins need to be sure to put current_user_can() checks wherever access 
control is needed.  I think some authors were assuming that WP checks 
for them.  It does not. WP doesn't know what user level/capability the 
various parts of a plugin require.  An audit of plugins shows that some 
plugins have been making this assumption for a long, long time.


More information about the wp-hackers mailing list