[wp-trac] [WordPress Trac] #38293: An connected user can delete a protected post meta
WordPress Trac
noreply at wordpress.org
Wed Oct 12 13:39:17 UTC 2016
#38293: An connected user can delete a protected post meta
-------------------------------+-----------------------------
Reporter: ajoah | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 4.6.1
Severity: normal | Keywords:
Focuses: administration |
-------------------------------+-----------------------------
Hi,
I discovered that an user can rename (and so delete) a protected post meta
if he knows its id.
Example :
My posts meta :
[[Image(https://snag.gy/RfhUA5.jpg)]]
I send the normal meta name with the protected meta id (24) :
[[Image(https://snag.gy/SIo9l4.jpg)]]
After update :
[[Image(https://snag.gy/345HTD.jpg)]]
The problem comes from https://core.trac.wordpress.org/browser/trunk/src
/wp-admin/includes/post.php#L291
{{{#!php
<?php
// Meta Stuff
if ( isset($post_data['meta']) && $post_data['meta'] ) {
foreach ( $post_data['meta'] as $key => $value ) {
if ( !$meta = get_post_meta_by_id( $key ) )
continue;
if ( $meta->post_id != $post_ID )
continue;
if ( is_protected_meta( $value['key'], 'post' ) ||
! current_user_can( 'edit_post_meta', $post_ID, $value['key'] ) )
continue;
update_meta( $key, $value['key'], $value['value']
);
}
}
}}}
The is_protected_meta function is used only on the new name and not on the
old name :
{{{
$meta->meta_key
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38293>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list