[wp-trac] [WordPress Trac] #28821: Admin page registered with add_menu_page() allows access through wrong URls and hightlights wrong top level menu item
WordPress Trac
noreply at wordpress.org
Tue Jan 27 15:23:52 UTC 2026
#28821: Admin page registered with add_menu_page() allows access through wrong URls
and hightlights wrong top level menu item
----------------------------+-----------------------------
Reporter: F J Kaiser | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone:
Component: Administration | Version: 3.9.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration
----------------------------+-----------------------------
Changes (by huzaifaalmesbah):
* keywords: has-patch needs-testing => has-patch
Comment:
== Patch Testing Report
Patch Tested: https://github.com/WordPress/wordpress-develop/pull/10801
=== Environment
- WordPress: 7.0-alpha-61215-src
- PHP: 8.2.29
- Server: nginx/1.29.4
- Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
- Browser: Chrome 143.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Two 2.1
- MU Plugins: None activated
- Plugins:
* (Trac) Add Top Level Test Menu Page
* Test Reports 1.2.1
=== Steps taken
1. Activated the **(Trac) Add Top Level Test Menu Page** plugin.
2. Logged into the WordPress admin dashboard.
3. Opened the **Trac** top-level admin menu and confirmed the page loads
correctly.
4. Attempted to access the page using unrelated admin URLs with the
`page=trac` query parameter (e.g. `options-general.php`, `tools.php`,
`edit.php`, `upload.php`, `index.php`).
5. Observed that the admin page is accessible via those unrelated URLs and
causes incorrect or missing menu highlighting.
6. Applied the fix from the linked patch.
7. Re-tested access using the same unrelated admin URLs.
8. Confirmed that the admin page is no longer accessible via unrelated
URLs and menu highlighting behaves correctly.
x. ✅ Patch is solving the problem
=== Expected result
- Admin pages registered using `add_menu_page()` should only be accessible
through their registered admin URL.
- Unrelated admin URLs with the same `page` parameter should not load the
page.
- Admin menu highlighting should always reflect the correct active menu
item.
=== Screenshots/Screencast with results
- Screencast demonstrating the issue and its resolution after applying the
patch:
https://files.catbox.moe/pfek3e.mp4
=== Support Content
- Test plugin: **(Trac) Add Top Level Test Menu Page**
{{{
<?php
/** Plugin Name: (Trac) Add Top Level Test Menu Page */
add_action( 'admin_menu', function()
{
add_menu_page(
'Hello Trac',
'Trac',
'manage_options',
'trac',
function()
{
?>
<h1>Hello Trac!</h1>
<?php settings_errors(); ?>
<form action="options.php" method="post">
<label for="trac">Enter Trac ID</label>
<input type="text" name="trac" />
</form>
<?php
}
);
} );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28821#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list