id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 10310 add_menu_page Security Bug shazahm1@… ryan "I think there is a security issue with the add_menu_page() function but I'm a noob and might be doing something wrong but I was able to duplicate it with the sample code from the codex. {{{ Test Options""; } // mt_manage_page() displays the page content for the Test Manage submenu function mt_manage_page() { echo ""

Test Manage

""; } // mt_toplevel_page() displays the page content for the custom Test Toplevel menu function mt_toplevel_page() { echo ""

Test Toplevel

""; } // mt_sublevel_page() displays the page content for the first submenu // of the custom Test Toplevel menu function mt_sublevel_page() { echo ""

Test Sublevel

""; } // mt_sublevel_page2() displays the page content for the second submenu // of the custom Test Toplevel menu function mt_sublevel_page2() { echo ""

Test Sublevel 2

""; } ?> }}} Let's say a user is logged in as a subscriber and types in the query string to access the top level menu '''?page=menu_test.php''' the page will be displayed even though only admins should see the page as set in the parameter set in add_menu_page. However type in the query string for the subpages are blocked as expected. I've also attached my code that shows the same problem." defect (bug) closed normal 2.8.1 Menus 2.8 major fixed