Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#15276 closed defect (bug) (fixed)

Ability to change/delete any post's meta if current user can edit any post.

Reported by: karevn Owned by: ryan
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0.1
Component: Security Keywords: has-patch
Focuses: Cc:

Description

There is a flaw in the logic responsible for saving custom fields - if the current user can edit any post, he can pass a meta values for the posts which he is not allowed to edit.

Steps to reproduce:

  1. Open post editor
  2. Add some meta
  3. Change some meta field's ID value to some another existing meta ID.
  4. Click save - meta will be updated.

The cause of the problem is that when saving meta values, WP does not check if meta really belongs to the post being saved. The related code is inside the function update_meta

Attachments (1)

15276.diff (945 bytes) - added by kawauso 11 years ago.
Validation modelled after AJAX handler

Download all attachments as: .zip

Change History (7)

#1 @Denis-de-Bernardy
11 years ago

  • Component changed from General to Security

@kawauso
11 years ago

Validation modelled after AJAX handler

#2 @kawauso
11 years ago

  • Cc otterish@… added
  • Keywords has-patch added; vulnerability removed

#3 @ryan
11 years ago

  • Milestone changed from Awaiting Review to 3.1

#4 @nacin
11 years ago

  • Owner set to ryan
  • Status changed from new to assigned

#5 @ryan
11 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [17078]) Restrict meta update/delete to the current post. Props kawauso. fixes #15276

#6 @ryan
11 years ago

I changed the patch slightly to restrict to the post ID rather than doing a capability check. The edit_post check done at the top of the function suffices.

Note: See TracTickets for help on using tickets.