[wp-trac] [WordPress Trac] #26645: Possible upgrage to wrong theme/plugin
WordPress Trac
noreply at wordpress.org
Mon Dec 16 13:37:37 UTC 2013
#26645: Possible upgrage to wrong theme/plugin
-----------------------------+-----------------------------
Reporter: meloniq | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version: trunk
Severity: normal | Keywords:
-----------------------------+-----------------------------
Component: api.wordpress.org/(themes|plugins)/update-check/
Upgrade can be done to wrong theme, if theme with that same name is listed
in WP repository.
Scenario:
- I have created 'Twenty Fifteen' theme, version 0.9 (for personal use)
- Month later WP team release in WP repository new 'Twenty Fifteen'
theme, version 1.0
- WP Upgrader receive information that there is available update for my
theme
- On upgrade my theme is overriden with the WP one
This 'security hole' can be used by some theme/plugin authors, to create
equivalents of commercial products that will get overridden on next
upgrade.
Possible solution:
WP API could check some additional param (like Author) before returning
results about available update.
(sidenote) I could add a filter to my theme, to exclude it from checking
it in WP API, but it will only work when my theme is active.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26645>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list