[wp-trac] [WordPress Trac] #64782: Real-time collaboration awareness state can be mutated by another authorized user
WordPress Trac
noreply at wordpress.org
Tue Mar 3 00:11:34 UTC 2026
#64782: Real-time collaboration awareness state can be mutated by another
authorized user
--------------------------+--------------------------------------
Reporter: czarate | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: trunk
Severity: normal | Keywords: has-patch has-unit-tests
Focuses: rest-api |
--------------------------+--------------------------------------
During collaborative sessions, awareness state is set by each
participating client. Awareness state includes general information such as
the user's display name and avatar URL. It also includes presence
information such as their current cursor position. This state, once shared
with other clients, is used to render indicators that show their presence
and activity in the session.
Using the built-in HTTP polling sync server, awareness state is accepted
and stored after the user is authorized. This state is keyed against their
sync client ID, which is randomly generated.
However, nothing prevents a user from spoofing another client's client ID,
which is discoverable by inspecting network responses. By replaying a sync
request with a different client ID, they could temporarily overwrite
another client's awareness state. I say "temporarily" because the spoofed
client will soon send another awareness update that will restore it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64782>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list