[wp-trac] [WordPress Trac] #17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 22 22:08:43 UTC 2011
#17850: XMLRPC API Clients can't edit underscore-prefixed custom fields
-------------------------------------+--------------------
Reporter: redsweater | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1.4
Component: General | Version: 3.1.3
Severity: normal | Resolution:
Keywords: mobile has-patch commit |
-------------------------------------+--------------------
Comment (by xknown):
As I said in the mail, it would be better if all the internal WP meta keys
are standardized. At some point in the future, WordPress will probably
have security issues when someone will add a new meta key that is not
protected in {{{is_protected_meta}}}. This already happened with the
previous approach.
Just to cite one example, with the latest patch (17850.4.diff), WP is
vulnerable to persistent XSS attacks because the '_oembed_MD5...' is not
covered in is_protected_meta -- an user with the edit_posts capability can
also use the XMLRPC API.
For 3.2, we can maybe use your approach, but for 3.3 it would be good to
have a strong solution to this problem.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17850#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list