Anyone can delete attachments
|Reported by:||xknown||Owned by:||rob1n|
An unregistered user can delete attachments through xmlrpc request:
<methodCall> <methodName>wp.uploadFile</methodName> <params> <param><value>1</value></param> <param><value>1</value></param> <param><value>1</value></param> <struct> <member><name>name</name><value>attachement_name</value></member> <member><name>overwrite</name><value>1</value></member> </struct> </params> </methodCall>
I'll submit a partial fix -- I think that an user should only delete their own uploaded files.
Change History (10)
comment:2 foolswisdom — 7 years ago
- Owner changed from anonymous to josephscott
- Priority changed from normal to high
- Severity changed from normal to critical
- Keywords commit added
- Owner changed from josephscott to rob1n
- Status changed from new to assigned
Note: See TracTickets for help on using tickets.