[wp-trac] [WordPress Trac] #63856: Bug Report: Post Author Can Be Assigned to Subscribers via Gutenberg Editor
WordPress Trac
noreply at wordpress.org
Sat Aug 23 06:26:07 UTC 2025
#63856: Bug Report: Post Author Can Be Assigned to Subscribers via Gutenberg Editor
-------------------------------------------------+-------------------------
Reporter: chilu5504 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Editor | Version: 6.8.2
Severity: normal | Resolution:
Keywords: has-test-info needs-unit-tests dev- | Focuses: tests,
feedback | administration
-------------------------------------------------+-------------------------
Comment (by chilu5504):
Replying to [comment:1 rishabhwp]:
> I was able to successfully reproduce this issue using the latest
Gutenberg repository. After going through the codebase, I found that this
is a Gutenberg-specific security vulnerability rather than a WordPress
Core issue.
>
> **Root Cause:** The Gutenberg editor correctly filters the author
dropdown to display only users with appropriate capabilities
(Administrator, Editor, Contributor). However, there is no client-side
validation when the author field is updated via DOM manipulation in the
post settings panel. This allows subscribers to be assigned as post
authors by manually changing dropdown values through browser developer
tools.
>
> Check
[https://github.com/WordPress/gutenberg/blob/trunk/packages/editor/src/components
/post-author/combobox.js#L28 combobox.js] and
[https://github.com/WordPress/gutenberg/blob/trunk/packages/editor/src/components
/post-author/select.js#L18 select.js]
>
> Should I open an issue in the Gutenberg repository for this?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63856#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list