[wp-xmlrpc] Re: [wp-hackers] XMLRPC rework
lloydomattic at gmail.com
Thu Aug 30 17:35:01 GMT 2007
On 8/30/07, Alexander Concha <alex at buayacorp.com> wrote:
> Hello Folks.
> I think WP's XMLRPC server needs more attention because it has some
> buggy methods and by default allows to gather useful information to
> unprivileged users.
Although a very appropriate topic for this list, there is now a list
specifically for the topic: wp-xmlrpc at lists.automattic.com
> The following methods doesn't seem to work and because of security
> implications, I suggest remove them -- although I'm not sure if they
> were added for compatibility reasons.
> - blogger_getTemplate
> - blogger_setTemplate
> OTOH, unprivileged users (aka anyone with a subscriber role) can
> retrieve data which could be used for unknown purposes. Examples:
> - mw_getRecentPosts will return posts including private fields like
> - wp_getAuthors will return the list of users with private data (email
> and role).
> Any comments?
> PS. Sorry for my bad English.
> Alexander Concha
More information about the wp-xmlrpc