[wp-hackers] Possible vulnerability with the plugin system

John Blackbourn johnbillion+wp at gmail.com
Thu Dec 6 15:02:32 GMT 2007


http://trac.wordpress.org/ticket/5427

On Nov 30, 2007 6:56 PM, Andy Skelton <skeltoac at gmail.com> wrote:
> On Nov 30, 2007 12:34 PM, John Blackbourn <johnbillion+wp at gmail.com> wrote:
> > Does this class as a vulnerability?
>
> No.
>
> It makes little sense for a plugin to do anything rash simply by
> including a file and this is not a design pattern I have seen in the
> wild.
>
> You bring up an excellent point: WordPress should not include a file
> indicated by a URL query string that has not been specified in an
> add_submenu_page call. Please submit a bug report and a patch if you
> are prepared to write one.
>
> Cheers,
> Andy
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list