[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 16 18:32:34 UTC 2010


#11922: Pages Hooked by add_menu_page() Have No Security
-----------------------------+----------------------------------------------
 Reporter:  miqrogroove      |       Owner:  westi    
     Type:  defect (bug)     |      Status:  accepted 
 Priority:  high             |   Milestone:  2.9.2    
Component:  Role/Capability  |     Version:           
 Severity:  critical         |    Keywords:  has-patch
-----------------------------+----------------------------------------------

Comment(by miqrogroove):

 At step 2 one of the tests must pass.  So if you changed your first
 submenu $access_level to 'read' then any user would be able to trigger the
 parent hook, even though it's still set to 'manage_options'.  Also test
 the page= query on different php files to see how $pagenow is ignored.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11922#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list