[wp-trac] [WordPress Trac] #59795: Private Information Exposure via redirect_guess_404_permalink()
WordPress Trac
noreply at wordpress.org
Thu Nov 2 10:31:01 UTC 2023
#59795: Private Information Exposure via redirect_guess_404_permalink()
-------------------------------+-----------------------------
Reporter: FrancescoCarlucci | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: minor | Keywords:
Focuses: privacy |
-------------------------------+-----------------------------
When guessing the proper URL to redirect a 404, WordPress only considers
the post statuses and not the proper post type privacy settings, leading
to potential information disclosure. More specifically, this happens when
a post type is set to public => true but publicly_queryable => false,
which is supposed to be private.
### Steps to replicate
1. register a custom post type with the following settings
- public => true
- publicly_queryable => false
2. create an entry in the new custom post type, for example I used as
title "info at example.com"
3. access a 404 page similar to content, eg. example.com/info and in the
redirect it will disclose the private slug
___
Note: the ticket has been discussed with the Security team and there is
already a patch available, planned to be released.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59795>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list