[wp-trac] [WordPress Trac] #52337: Non-numeric attachment_id and p query string params result in posts page
WordPress Trac
noreply at wordpress.org
Thu Jan 21 12:16:54 UTC 2021
#52337: Non-numeric attachment_id and p query string params result in posts page
--------------------------+-----------------------------
Reporter: timbarkerse | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
We've had a very thorough security review done on our site and the
reviewer flagged up that giving a non-numeric parameter to p or
attachment_id parameters: e.g.
site.com/?p=c or
site.com/?attachment_id=c
returns the posts page of the site. I would expect the 404 page. This
behaviour returns the posts page even when we don't want this page to be
visible on the site i.e. when the front page is set to a static page and
we show the posts in other ways.
I have tested it on a clean install of the latest version of WP with no
plugins.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52337>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list