[wp-trac] [WordPress Trac] #38076: Network admin plugin pages can be accessed on non-multisite
WordPress Trac
noreply at wordpress.org
Fri Sep 16 19:56:08 UTC 2016
#38076: Network admin plugin pages can be accessed on non-multisite
----------------------------+-----------------------------
Reporter: flixos90 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Keywords:
Focuses: multisite |
----------------------------+-----------------------------
I just noticed that it's theoretically possible to access a plugin-
generated page in the network admin panel even if we're not on a multisite
setup. The same applies to the user admin panel as well.
To replicate, create a plugin that uses `add_menu_page()` with a slug
`my_test_page`, hooked into `network_admin_menu`. Then manually go to the
URL `http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page`.
This happens because the `is_multisite()` check happens only after
including the general `wp-admin/admin.php` administration bootstrap file
which takes care of any plugin pages by itself. The problem is we can't do
it before because WordPress hasn't been loaded then. A possible solution
would be to split the `require_once` statement in `wp-
admin/network/admin.php` into two, one to load the WordPress core
functions, the other to load `wp-admin/admin.php`.
I don't think this is a very critical issue, but I thought it should be a
ticket. It's very unlikely that anyone tries to access a network admin URL
when they don't have a multisite. On the other hand, we catch that in
other areas (through `! is_multisite()` checks), so we might try to do it
here as well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38076>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list