[wp-trac] [WordPress Trac] #55456: Double escaping wp_user-settings

WordPress Trac noreply at wordpress.org
Thu Mar 24 09:27:13 UTC 2022

#55456: Double escaping wp_user-settings
 Reporter:  phatkoala     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  5.9.2
 Severity:  normal        |   Keywords:
  Focuses:                |
 Fresh install of WordPress with no plugins and using default Twenty Twenty
 Two theme.

 Either directly insert test data;
 INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (1,
 'wp_user-settings', 'foo=1&bar=1');

 Or activate this plugin;
 Plugin Name: Ampersand Test
 register_activation_hook( __FILE__, function(){
     set_user_setting( 'foo', 1 );
     set_user_setting( 'bar', 1 );
 } );

 The name of the attributes and their values are completely arbitrary and
 have no impact on the behaviour.

 Now go to your "Profile" page (/wp-admin/profile.php) and press "Update
 Profile".  Wait 5 seconds and repeat.

 The value of wp-user_settings in the database and COOKIE is being double
 escaped (escaped on read and escaped on write).

 Therefore the value of wp-user_settings does this;
  - foo=1&bar=1
  - foo=1&ampbar=1
  - foo=1&ampampbar=1
  - foo=1&ampampampbar=1
  - and so forth

 Once the value of wp-user_settings becomes too long and/or combined with a
 user using the same browser with multiple logins, the length of the
 COOKIE(s) will become too large and the request header will be rejected by

Ticket URL: <https://core.trac.wordpress.org/ticket/55456>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list