[wp-hackers] Critical WP Flaw?
Joey B
tunicwriter at gmail.com
Thu Jul 27 09:28:27 GMT 2006
On 7/27/06, Ryan Boren <ryan at boren.nu> wrote:
> <snip>
> Plugins need to be sure to put current_user_can() checks wherever access
> control is needed. I think some authors were assuming that WP checks
> for them. It does not. WP doesn't know what user level/capability the
> various parts of a plugin require. An audit of plugins shows that some
> plugins have been making this assumption for a long, long time.
Saying so here won't make much of a dent in changing that. I've never
heard of current_user_can(), either, along with, apparently, a lot of
other plugin devs. This would lead me to believe there is a failure in
documentation which should probably also be addressed along with this
security vulnerability, if this is so important.
--
Joey Brooks
Milk Carton Designs || milkcartondesigns.com
More information about the wp-hackers
mailing list