[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor

buddypress-trac noreply at wordpress.org
Mon Jun 15 13:05:57 UTC 2015

#6504: Messages viewable to any logged out visitor
 Reporter:  CodeMonkeyBanana       |       Owner:
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  2.3.2
Component:  Component - Messaging  |     Version:
 Severity:  blocker                |  Resolution:
 Keywords:  has-patch              |
Changes (by boonebgorges):

 * severity:  major => blocker
 * milestone:  Awaiting Review => 2.3.2


 > In the future, let's treat issues like this as security issues.

 +1. In the future, please send reports of this nature to
 security at wordpress.org.

 Replying to [comment:6 sbrajesh]:
 > To be honest, There is a loophole. Won't be posting anything here

 Confirmed. There is a way to spoof the user ID even when logged in, though
 it's very much not obvious. We need a couple different kinds of hardening

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:11>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list