Make WordPress Core

Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#15276 closed defect (bug) (fixed)

Ability to change/delete any post's meta if current user can edit any post.

Reported by: karevn Owned by: ryan
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0.1
Component: Security Keywords: has-patch
Focuses: Cc:


There is a flaw in the logic responsible for saving custom fields - if the current user can edit any post, he can pass a meta values for the posts which he is not allowed to edit.

Steps to reproduce:

  1. Open post editor
  2. Add some meta
  3. Change some meta field's ID value to some another existing meta ID.
  4. Click save - meta will be updated.

The cause of the problem is that when saving meta values, WP does not check if meta really belongs to the post being saved. The related code is inside the function update_meta

Attachments (1)

15276.diff (945 bytes) - added by kawauso 7 years ago.
Validation modelled after AJAX handler

Download all attachments as: .zip

Change History (7)

#1 @Denis-de-Bernardy
8 years ago

  • Component changed from General to Security

7 years ago

Validation modelled after AJAX handler

#2 @kawauso
7 years ago

  • Cc otterish@… added
  • Keywords has-patch added; vulnerability removed

#3 @ryan
7 years ago

  • Milestone changed from Awaiting Review to 3.1

#4 @nacin
7 years ago

  • Owner set to ryan
  • Status changed from new to assigned

#5 @ryan
7 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [17078]) Restrict meta update/delete to the current post. Props kawauso. fixes #15276

#6 @ryan
7 years ago

I changed the patch slightly to restrict to the post ID rather than doing a capability check. The edit_post check done at the top of the function suffices.

Note: See TracTickets for help on using tickets.