[wp-hackers] XMLRPC rework

Lloyd Budd lloydomattic at gmail.com
Thu Aug 30 17:35:01 GMT 2007

On 8/30/07, Alexander Concha <alex at buayacorp.com> wrote:
> Hello Folks.
> I think WP's XMLRPC server needs more attention because it has some
> buggy methods and by default allows to gather useful information to
> unprivileged users.

Hi Alex,

Although a very appropriate topic for this list, there is now a list
specifically for the topic: wp-xmlrpc at lists.automattic.com

> The following methods doesn't seem to work and because of security
> implications, I suggest remove them -- although I'm not sure if they
> were added for compatibility reasons.
> - blogger_getTemplate
> - blogger_setTemplate
> OTOH, unprivileged users (aka anyone with a subscriber role) can
> retrieve data which could be used for unknown purposes. Examples:
> - mw_getRecentPosts will return posts including private fields like
> post_password.
> - wp_getAuthors will return the list of users with private data (email
> and role).
> Any comments?
> Regards.
> PS. Sorry for my bad English.
> --
> Alexander Concha
> http://www.buayacorp.com/

More information about the wp-hackers mailing list