[wp-trac] [WordPress Trac] #38076: Network admin plugin pages can be accessed on non-multisite

WordPress Trac noreply at wordpress.org
Fri Sep 16 19:56:08 UTC 2016


#38076: Network admin plugin pages can be accessed on non-multisite
----------------------------+-----------------------------
 Reporter:  flixos90        |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:
 Severity:  normal          |   Keywords:
  Focuses:  multisite       |
----------------------------+-----------------------------
 I just noticed that it's theoretically possible to access a plugin-
 generated page in the network admin panel even if we're not on a multisite
 setup. The same applies to the user admin panel as well.

 To replicate, create a plugin that uses `add_menu_page()` with a slug
 `my_test_page`, hooked into `network_admin_menu`. Then manually go to the
 URL `http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page`.

 This happens because the `is_multisite()` check happens only after
 including the general `wp-admin/admin.php` administration bootstrap file
 which takes care of any plugin pages by itself. The problem is we can't do
 it before because WordPress hasn't been loaded then. A possible solution
 would be to split the `require_once` statement in `wp-
 admin/network/admin.php` into two, one to load the WordPress core
 functions, the other to load `wp-admin/admin.php`.

 I don't think this is a very critical issue, but I thought it should be a
 ticket. It's very unlikely that anyone tries to access a network admin URL
 when they don't have a multisite. On the other hand, we catch that in
 other areas (through `! is_multisite()` checks), so we might try to do it
 here as well.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38076>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list