[wp-hackers] Critical WP Flaw?

Ryan Boren ryan at boren.nu
Thu Jul 27 10:03:31 GMT 2006

Joey B wrote:
> On 7/27/06, Ryan Boren <ryan at boren.nu> wrote:
>> <snip>
>> Plugins need to be sure to put current_user_can() checks wherever access
>> control is needed.  I think some authors were assuming that WP checks
>> for them.  It does not. WP doesn't know what user level/capability the
>> various parts of a plugin require.  An audit of plugins shows that some
>> plugins have been making this assumption for a long, long time.
> Saying so here won't make much of a dent in changing that. I've never
> heard of current_user_can(), either, along with, apparently, a lot of
> other plugin devs. This would lead me to believe there is a failure in
> documentation which should probably also be addressed along with this
> security vulnerability, if this is so important.

If you're relying on the cap/level check provided when you register a 
menu/submenu, that will cover most plugins.  There is indeed a bug in 
2.0.3 that breaks this check in some cases.  2.0.4 beta fixes this.  If 
you don't register a menu and don't do a level or cap check, your plugin 
is vulnerable.

Personally, I never really meant the menu cap check to be relied upon 
quite so heavily.  It was offered as a convenience thing for simple 
plugins. I use current_user_can() in my plugins.

current_user_can() is the heart of the capability system.


Looks like we need to do a better job of documenting with regard to 
plugin development.


More information about the wp-hackers mailing list