[wp-trac] [WordPress Trac] #10310: add_menu_page Security Bug
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 15 12:55:00 UTC 2010
#10310: add_menu_page Security Bug
----------------------------------+-----------------------------------------
Reporter: shazahm1@… | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 2.8.1
Component: Menus | Version: 2.8
Severity: major | Resolution:
Keywords: |
----------------------------------+-----------------------------------------
Changes (by DeNeusbeer):
* status: closed => reopened
* resolution: fixed =>
Comment:
I recently encountered this bug again in WP 2.9.1. I reproduced it using a
fresh install of wordpress and this very simple plugin i wrote. It only
adds 1 menu page for Administrators, and 1 submenu page for Contributors:
{{{
<?php
/*
Plugin Name: Menu testing
Plugin URI:
Description: Testing menu page structure
Author: DeNeusbeer
*/
add_action('admin_menu', 'admin_menu_custom');
function admin_menu_custom() {
add_menu_page('Adminpage', 'Adminpage', 'administrator', 'adminpage',
'get_adminpage');
add_submenu_page('index.php', 'Testpage', 'Testpage', 'contributor',
'testpage', 'get_contributor_page');
}
function get_adminpage() {
echo 'This is an administrator page, only administrators should see
it.';
}
function get_contributor_page() {
echo 'this is a contributor page.';
}
?>
}}}
I added 2 users, one Administrator and one Contributor. The normal link to
the newly created Adminpage menu is /wp-
admin/'''admin.php'''?page=adminpage and this is accesible only be the
Administrator, as expected. But if i point the browser to /wp-
admin/'''index.php'''?page=adminpage , the Contributor can see the page
aswell.
This only occurs for menu pages, not for submenu pages.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10310#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list