[wp-trac] [WordPress Trac] #6838: Any user is able to edit
attachments
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 25 11:27:56 GMT 2008
#6838: Any user is able to edit attachments
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5.1
Component: Security | Version: 2.5
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
Any user that knows the ID of an attachment is able to edit some
attributes of it.
Steps to reproduce the problem:
1. Log in as an unprivileged user.
2. Access directly to the following URL:
`http://site/wp/wp-
admin/media.php?action=edit&attachment_id=ATTACHMENT_ID`
3. Press "Save Changes" button.
--
Ticket URL: <http://trac.wordpress.org/ticket/6838>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list