[wp-trac] [WordPress Trac] #15276: Ability to change/delete any post's meta if current user can edit any post.
WordPress Trac
wp-trac at lists.automattic.com
Mon Nov 1 14:18:52 UTC 2010
#15276: Ability to change/delete any post's meta if current user can edit any post.
--------------------------+-------------------------------------------------
Reporter: karevn | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.0.1
Severity: normal | Keywords: vulnerability
--------------------------+-------------------------------------------------
There is a flaw in the logic responsible for saving custom fields - if the
current user can edit any post, he can pass a meta values for the posts
which he is not allowed to edit.
Steps to reproduce:
1. Open post editor
2. Add some meta
3. Change some meta field's ID value to some another existing meta ID.
4. Click save - meta will be updated.
The cause of the problem is that when saving meta values, WP does not
check if meta really belongs to the post being saved. The related code is
inside the function update_meta
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15276>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list