[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 16 18:32:34 UTC 2010
#11922: Pages Hooked by add_menu_page() Have No Security
-----------------------------+----------------------------------------------
Reporter: miqrogroove | Owner: westi
Type: defect (bug) | Status: accepted
Priority: high | Milestone: 2.9.2
Component: Role/Capability | Version:
Severity: critical | Keywords: has-patch
-----------------------------+----------------------------------------------
Comment(by miqrogroove):
At step 2 one of the tests must pass. So if you changed your first
submenu $access_level to 'read' then any user would be able to trigger the
parent hook, even though it's still set to 'manage_options'. Also test
the page= query on different php files to see how $pagenow is ignored.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11922#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list