[wp-trac] [WordPress Trac] #64782: Real-time collaboration awareness state can be mutated by another authorized user
WordPress Trac
noreply at wordpress.org
Thu Mar 5 09:22:21 UTC 2026
#64782: Real-time collaboration awareness state can be mutated by another
authorized user
--------------------------------------+------------------------------
Reporter: czarate | Owner: ellatrix
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: trunk
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests | Focuses: rest-api
--------------------------------------+------------------------------
Changes (by ellatrix):
* owner: (none) => ellatrix
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"61838" 61838]:
{{{
#!CommitTicketReference repository="" revision="61838"
Real-time collaboration: check wp_user_id before accepting awareness
update.
Using the built-in HTTP polling sync server, awareness state is accepted
and stored after the user is authorized. This state is keyed against their
sync client ID, which is randomly generated.
However, nothing prevents a user from spoofing another client's client ID,
which is discoverable by inspecting network responses. By replaying a sync
request with a different client ID, they could temporarily overwrite
another client's awareness state.
This change prevents this spoofing by storing and checking the user's
WordPress user ID to ensure it matches the initial update.
Developed in: https://github.com/WordPress/wordpress-develop/pull/11120.
Syncs: https://github.com/WordPress/gutenberg/pull/76056.
Fixes #64782.
Props czarate.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64782#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list