Calling wpmu_delete_blog with $blog_id delete all database tables
|Reported by:||mblanc||Owned by:|
When calling the wpmu_delete_blog function with a blog_id of 1, get_blog_prefix called by this function returns a dangerous (for the delete purpose) prefix (i.e. 'wp\_%', assuming the installation prefix was 'wp_').
Since tables returned by "SHOW TABLES LIKE 'wp\_%'" are deleted, all the Wordpress tables are destroyed.
Of course, the backoffice doesn't allow an admin to delete the blog 1, but it might be a safe idea to prevent this by checking that $blog_id passed to wpmu_delete_blog is never 0 or 1 since any plugin can call it with a wrong parameter.
Change History (10)
comment:7 wonderboymusic — 15 months ago
- Keywords has-patch removed
- Milestone Awaiting Review deleted
- Resolution set to fixed
- Status changed from new to closed