Some users able to comment on unpublished posts
|Reported by:||ericmann||Owned by:|
This was originally reported on the WP support forums.
Users with certain developer tools (i.e Firebug) can manually edit the comment_post_ID field of the default commentform and submit a comment to any post on the site, whether it's published or not (or closed to comments or not).
Perhaps we should consider some level of security for comments to ensure this can't happen? Maybe hash the comment_post_ID field so it can't be edited in plaintext?
Change History (22)
- Summary changed from Some users able to comment on closed posts to Some users able to comment on unpublished posts