[wp-hackers] Pages still visible to audience after setting it back to "Draft"?

Andrew Nacin wp at andrewnacin.com
Thu Dec 9 22:53:42 UTC 2010

On Thu, Dec 9, 2010 at 1:41 PM, Oliver Schlöbe <office at wpseek.com> wrote:

> Hey there,
> I've been told there's some strange behaviour on how WP 3 handles draft
> posts, and I'm not sure wether it's a bug or wanted behaviour.
> When creating a page, setting the status to "Draft" and saving the page,
> you can preview it by opening ?page_id=694&preview=true Works fine so far.
> Non logged in users cannot see the draft page even if they're opening the
> page directly via ?page_id=694&preview=true or /slug/.
> But when a page has been published before, and you set back the status of
> that page to "Draft", non logged in users can suddenly see the page,
> although it's a Draft. Is this desired behaviour? What would be the point of
> changing a page's status from Public to Draft if the audience will still be
> able to view the page by directly opening it through the address bar?
> Steps to reproduce:
> 1. Create a page (status: Draft (default), Visibility: Public (default)),
> and click "Save".
> 2. Open the page with a different browser you're non logged into the Admin
> area, e.g. domain.com/draft-page/ You'll get a 404, this is desired
> behaviour.
> 3. Now publish the page by clicking "Publish" and it should be visible to
> non logged in users, too.
> 4. Now set the page's status from "Published" to "Draft" and hit "Update
> page".
> In opposition to step 1 the page wont return a 404, although it's a Draft
> like in step 1 where it correctly returned a 404 to non logged in users.
> Bug or feature? :)

This sounds like a plugin, specifically a caching plugin as Brian has
pointed out, especially knowing how WP_Query handles non-public post
statuses. But I'm sending this email as a Public Service Announcement.

If this really was a bug in core, it's information disclosure, and is best
classified as a major vulnerability.

So this shouldn't be reported over a public mailing list. Instead something
like it should go to security at wordpress.org.

Now grant you, this is an obvious false alarm, but it's better to be safe
than sorry.


More information about the wp-hackers mailing list