[wp-trac] [WordPress Trac] #57437: Insecure Direct Object Reference in "author" parameter while making a page live Leads to Vertical Privilege Escalation on a Different Account
WordPress Trac
noreply at wordpress.org
Thu Jan 12 02:41:14 UTC 2023
#57437: Insecure Direct Object Reference in "author" parameter while making a page
live Leads to Vertical Privilege Escalation on a Different Account
-------------------------------------+------------------------------
Reporter: f41z4n | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 6.1.1
Severity: normal | Resolution:
Keywords: needs-patch 2nd-opinion | Focuses:
-------------------------------------+------------------------------
Comment (by peterwilsoncc):
As mentioned above, the author dropdown is only shown to users with highly
trusted roles (editors and administrators by default). The capability
check is for the permission `edit_others_posts` or the equivalent for
custom post types (CPTs).
By default WordPress only lists users with the `edit_posts` (or equivalent
for CPTs) permission but the `quick_edit_dropdown_authors_args` filter is
available for this to be altered to display all users, including
subscribers or users without a role.
WordPress doesn't require a user have a role to be listed as an author.
Some editorial workflows may wish to credit someone as the author of a
post without giving them a login to the site.
As the user submitting the form is highly trusted, there is no privilege
escalation.
For @ironprogrammer suggested case of a user been assigned as an author at
a later date. I don't think it's a big problem, as the user is been
granted trust at that point. Depending on the role they are assigned, this
includes trust to edit posts they are assigned to as author.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57437#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list