[wp-hackers] Critical WP Flaw?

Joey B tunicwriter at gmail.com
Thu Jul 27 09:28:27 GMT 2006

On 7/27/06, Ryan Boren <ryan at boren.nu> wrote:
> <snip>
> Plugins need to be sure to put current_user_can() checks wherever access
> control is needed.  I think some authors were assuming that WP checks
> for them.  It does not. WP doesn't know what user level/capability the
> various parts of a plugin require.  An audit of plugins shows that some
> plugins have been making this assumption for a long, long time.

Saying so here won't make much of a dent in changing that. I've never
heard of current_user_can(), either, along with, apparently, a lot of
other plugin devs. This would lead me to believe there is a failure in
documentation which should probably also be addressed along with this
security vulnerability, if this is so important.

Joey Brooks
Milk Carton Designs || milkcartondesigns.com

More information about the wp-hackers mailing list