[wp-hackers] Critical WP Flaw?

Ryan Boren ryan at boren.nu
Thu Jul 27 09:39:09 GMT 2006

Denis de Bernardy wrote:
> Ryan said:
>>> 2) _Official_ threat level, just how serious is it?
>> If plugins don't check caps, it can be very serious.
>>> 3) Possible fix dates
>> Up to plugin authors.
> I now end up wondering whether I should fix my own plugins or not...
> I check user levels, not caps. And I rely on WP to check this for me, via
> the admin interface's built-in protections. This is what most plugin authors
> do, as far as I can tell. If doing this is wrong, we've got a huge number of
> plugins in need of fixing. Or a huge WordPress workflow error.

User level checks are fine.  WP checks the cap/level you pass when you 
register a menu/submenu and uses that to deny access to the plugin, but 
that is not sufficient for plugins that use multiple files and do more 
"advanced things". Some plugins need to add more fine-grained cap 
checking.  Most plugins are fine though.

> Anyway... without any information, how should I or any other plugin author
> guess if anything needs to be fixed, and what needs to be fixed?

I like to protect all non-idempotent operations with cap checks, even 
when the umbrella check should protect them.  I'd suggest creating a 
Subscriber level user on a test blog and then directly enter the URLs 
that load your plugin.  Make sure the caps are enforced for all entry 
points to your plugin.


More information about the wp-hackers mailing list