Ticket #4786 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

Recent Entries widget caches Private Post titles

Reported by: lybica Owned by: anonymous
Priority: normal Milestone: 2.3
Component: Security Version: 2.2.2
Severity: normal Keywords: cache, private
Cc:

Description

Recent Entries widget uses wp_cache_*() functions if ENABLE_CACHE is set.
However, if a user with the capability to 'read_private_posts' is logged in and triggered wp_cache_add(), private posts (only titles, though) are also cached and displayed to the public/unregistered viewers for the lifetime of the cache, effectively bypassing the is_user_logged_in() and current_user_can() in WP_Query::get_posts().

Change History

comment:1   foolswisdom4 years ago

  • Milestone changed from 2.4 (future) to 2.3 (trunk)

comment:2   ryan4 years ago

Adding post_status=publish to the query will restrict to published posts.

comment:3   ryan4 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [5973]) Limit recent entries query to published posts. fixes #4786

Note: See TracTickets for help on using tickets.