[wp-trac] [WordPress Trac] #62849: I Find a Vulnerability on Drafted Posts

WordPress Trac noreply at wordpress.org
Thu Jan 23 17:36:09 UTC 2025


#62849: I Find a Vulnerability on Drafted Posts
-------------------------------+-----------------------------
 Reporter:  aryadharmaadi      |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  6.7.1
 Severity:  normal             |   Keywords:
  Focuses:                     |
-------------------------------+-----------------------------
 Hello,
 I am currently developing a web fuzzer that can automatically find Broken
 Access Control vulnerabilities in the form of Broken Function Level
 Authorization (BFLA), Broken Object Level Authorization (BOLA), and Broken
 Object Property Level Authorization (BOPLA).

 When I tested the most recent WordPress version (6.7.1) with WooCommerce
 plugin (9.5.2), I found there was BOLA in the Post object because drafted
 posts that are invisible on the administrator page for all user roles are
 able to be modified when the authenticated user supplies the correct ID of
 the drafted post.

 Therefore, I suggest you check this issue. If you need further
 information, do not hesitate to contact me.

 Thanks.

 Best regards,
 Arya Dharmaadi

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62849>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list