[wp-trac] [WordPress Trac] #47820: should update_option() check "manage_options" capability?
WordPress Trac
noreply at wordpress.org
Fri Aug 2 10:13:29 UTC 2019
#47820: should update_option() check "manage_options" capability?
--------------------------------+-----------------------------
Reporter: lllor | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version: 5.2.2
Severity: normal | Keywords:
Focuses: |
--------------------------------+-----------------------------
As in the summary, please consider improving the security of
update_option() by checking the related capability.
Or at least, write in the documentation that it's in the plugin author's
duty to verify it.
Otherwise, a vulnerability may occur, as recently happened in the ND
Shortcodes For Visual Composer plugin:
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-
wordpress-nd-shortcodes-for-visual-composer-plugin/
Cheers.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47820>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list