Make WordPress Core

Opened 3 years ago

Last modified 21 months ago

#19415 new defect (bug)

wp_nav_menu showing private/conctepts posts without rights

Reported by: thomask Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 3.0
Component: Security Keywords:
Focuses: Cc:


when you are using wordpress menus and you got your post/page in a menu (e.g. using Automatically add new top-level pages) and then change the post/page to concept or set it private, the link to post/page stays in the menu for all users, what may have some negative security concerns

this error in all versions, including todays nightly

IMO it should show only visible posts (if someone disagrees and need it for some backward compatibility, there may be some parameter, but imo hidding private/concept should be default)

Change History (3)

comment:1 in reply to: ↑ description linuxologos3 years ago

  • Version changed from 3.3 to 3.0

this error in all versions, including todays nightly

comment:3 Offereins21 months ago

  • Cc lmoffereins@… added

Isn't this easy to fix with a filter on wp_nav_menu_objects checking the readability of the object (if post or cpt) for the current user and handling the array accordingly? Or does this need a check before that on querying the DB?
Anyways, can someone tell if this is looked at ever since reporting?

Note: See TracTickets for help on using tickets.