[wp-trac] [WordPress Trac] #34253: wp_insert_post() can assign a random, unauthorized user_id's

WordPress Trac noreply at wordpress.org
Sun Oct 11 07:48:10 UTC 2015 

#34253: wp_insert_post() can assign a random, unauthorized user_id's
-------------------------------+-----------------------------
 Reporter:  Cybr               |      Owner:
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  4.3.1
 Severity:  normal             |   Keywords:
  Focuses:  administration     |
-------------------------------+-----------------------------
 Hello,

 When using wp_insert_post, the `get_current_user_id()` function is being
 called when post_author is left empty.

 When updating a plugin, and this function appears, you would assume the
 admin (whoever updated the plugin) would "insert the post".

 But this is not always the case, for instance when you update the plugin
 through FTP, or use auto-update, or static Opcode caching, etc.

 However, the admin area is accessible to many on a multisite environment
 with open registrations. But is also accessible by subscribers, if
 permitted. The user who accesses the admin area first after updating the
 code be assigned as post author.

 An example code below will show you the defect in action, on a Multisite
 environment:

 {{{
 // Update 'plugin' here, log out and flush opcode cache.
 // This 'plugin' now executes the following code in admin_init:

 // Some options.
 $the_post_id = false;
 $main_blog = 0;
 $post_title = 'About WordPress';
 $post_content = 'WordPress is great!';
 $post_id_option = 'the_inserted_post_id';

 // Switch to main blog
 switch_to_blog( $main_blog );

 // Prevent code from running twice with option
 $page = get_post( get_option( $post_id_option ) );

 if ( !$page ) {
 // Page doesn't exist yet

         // Insert post
         $the_post_id = wp_insert_post( array(
                 'post_title'     => $post_title,
                 'post_status'    => 'publish',
                 'post_type'      => 'page',
                 'post_content'   => $post_content
         ) );

 }

 if ( $the_post_id ) {
         // Prevent code from running twice by updating option.
         update_option( $post_id_option, $the_post_id );
 }

 // Back to current blog.
 restore_current_blog();
 }}}

 A resolution would be to check if the current user has rights to post
 content. Either by default or parameter.
 Even more so, assign the site admin if the `current_user_can()` check
 fails.

 Thanks!

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34253>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list