[wp-trac] [WordPress Trac] #63856: Bug Report: Post Author Can Be Assigned to Subscribers via Gutenberg Editor
WordPress Trac
noreply at wordpress.org
Thu Aug 21 19:28:39 UTC 2025
#63856: Bug Report: Post Author Can Be Assigned to Subscribers via Gutenberg Editor
-------------------------------------------------+-------------------------
Reporter: chilu5504 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Editor | Version: 6.8.2
Severity: critical | Resolution:
Keywords: has-test-info needs-unit-tests dev- | Focuses: tests,
feedback | administration
-------------------------------------------------+-------------------------
Comment (by rishabhwp):
I was able to successfully reproduce this issue using the latest Gutenberg
repository. After going through the codebase, I found that this is a
Gutenberg-specific security vulnerability rather than a WordPress Core
issue.
**Root Cause:** The Gutenberg editor correctly filters the author dropdown
to display only users with appropriate capabilities (Administrator,
Editor, Contributor). However, there is no client-side validation when the
author field is updated via DOM manipulation in the post settings panel.
This allows subscribers to be assigned as post authors by manually
changing dropdown values through browser developer tools.
Check
[https://github.com/WordPress/gutenberg/blob/trunk/packages/editor/src/components
/post-author/combobox.js#L28 combobox.js] and
[https://github.com/WordPress/gutenberg/blob/trunk/packages/editor/src/components
/post-author/select.js#L18 select.js]
Should I open an issue in the Gutenberg repository for this?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63856#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list