[wp-trac] [WordPress Trac] #57437: Insecure Direct Object Reference in "author" parameter while making a page live Leads to Vertical Privilege Escalation on a Different Account
WordPress Trac
noreply at wordpress.org
Tue Jan 10 18:59:59 UTC 2023
#57437: Insecure Direct Object Reference in "author" parameter while making a page
live Leads to Vertical Privilege Escalation on a Different Account
-------------------------------------+------------------------------
Reporter: f41z4n | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 6.1.1
Severity: normal | Resolution:
Keywords: needs-patch 2nd-opinion | Focuses:
-------------------------------------+------------------------------
Changes (by ironprogrammer):
* keywords: needs-patch => needs-patch 2nd-opinion
* focuses: privacy =>
* component: Editor => Posts, Post Types
Comment:
Welcome to Trac, and thank you for the report, @f41z4n!
While the author ID can be manipulated prior to posting to WordPress, the
post/page edit screens perform their own user capability checks that
should prevent a non-authorized user from accessing the editor.
In fact, a legitimate use of this would be for an admin to create a page,
and then assign an author with the `contributor` role -- by default, this
role cannot modify pages, and attempts to access the page editor are met
with "Sorry, you are not allowed to edit this item." The same goes for
assigning the author to a user with no valid role or capabilities.
That being said, having an illegitimate user set as author (like in your
PoC) could have unintended consequences down the line, such as automatic
access to previously assigned posts/pages if their role or caps were
upgraded. Marking this ticket with `2nd-opinion` for additional committer
review.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57437#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list