[wp-trac] [WordPress Trac] #20195: Plugins uninstall.php

WordPress Trac wp-trac at lists.automattic.com
Mon Apr 30 17:54:38 UTC 2012


#20195: Plugins uninstall.php
--------------------------+------------------------------
 Reporter:  wpsmith       |       Owner:
     Type:  enhancement   |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Plugins       |     Version:
 Severity:  major         |  Resolution:
 Keywords:  dev-feedback  |
--------------------------+------------------------------
Changes (by lightningspirit):

 * cc: lightningspirit@… (added)
 * keywords:   => dev-feedback
 * severity:  normal => major


Comment:

 Indeed, like scribu said, you should not be concerned about the security
 of uninstall.php for trusted plugins, internally...

 ...because for a less common scenario I think we have to be concerned
 about the attacks from external scripts (crawlers, etc...).

 Question: What happens if an external script includes wp-load.php from a
 WordPress instance, defines WP_UNINSTALL_PLUGIN and then includes an
 uninstall.php from a known plugin, for example, WP Ecommerce plugin?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20195#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list