[wp-trac] [WordPress Trac] #10310: add_menu_page Security Bug

WordPress Trac wp-trac at lists.automattic.com
Fri Jan 15 12:55:00 UTC 2010

#10310: add_menu_page Security Bug
 Reporter:  shazahm1@…            |        Owner:  ryan    
     Type:  defect (bug)          |       Status:  reopened
 Priority:  normal                |    Milestone:  2.8.1   
Component:  Menus                 |      Version:  2.8     
 Severity:  major                 |   Resolution:          
 Keywords:                        |  
Changes (by DeNeusbeer):

  * status:  closed => reopened
  * resolution:  fixed =>


 I recently encountered this bug again in WP 2.9.1. I reproduced it using a
 fresh install of wordpress and this very simple plugin i wrote. It only
 adds 1 menu page for Administrators, and 1 submenu page for Contributors:

 Plugin Name: Menu testing
 Plugin URI:
 Description: Testing menu page structure
 Author: DeNeusbeer

 add_action('admin_menu', 'admin_menu_custom');

 function admin_menu_custom() {

     add_menu_page('Adminpage', 'Adminpage', 'administrator', 'adminpage',

     add_submenu_page('index.php', 'Testpage', 'Testpage', 'contributor',
 'testpage', 'get_contributor_page');

 function get_adminpage() {
     echo 'This is an administrator page, only administrators should see

 function get_contributor_page() {
     echo 'this is a contributor page.';
 I added 2 users, one Administrator and one Contributor. The normal link to
 the newly created Adminpage menu is /wp-
 admin/'''admin.php'''?page=adminpage and this is accesible only be the
 Administrator, as expected. But if i point the browser to /wp-
 admin/'''index.php'''?page=adminpage , the Contributor can see the page

 This only occurs for menu pages, not for submenu pages.

Ticket URL: <http://core.trac.wordpress.org/ticket/10310#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list