Ability to change/delete any post's meta if current user can edit any post.
|Reported by:||karevn||Owned by:||ryan|
There is a flaw in the logic responsible for saving custom fields - if the current user can edit any post, he can pass a meta values for the posts which he is not allowed to edit.
Steps to reproduce:
- Open post editor
- Add some meta
- Change some meta field's ID value to some another existing meta ID.
- Click save - meta will be updated.
The cause of the problem is that when saving meta values, WP does not check if meta really belongs to the post being saved. The related code is inside the function update_meta
Change History (7)
- Cc otterish@… added
- Keywords has-patch added; vulnerability removed