WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#20154 closed defect (bug) (fixed)

Add cap check to XML_RPC wp.getPostFormats

Reported by: maxcutler Owned by: ryan
Milestone: 3.4 Priority: normal
Severity: minor Version: 3.3.1
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

The wp_getPostFormats method does not perform any cap checks like other XML-RPC methods. Even though the information is theoretically harmless, other methods like wp_getPostStatusList check against edit_posts to guard against info leakage.

Attachments (1)

wp_getPostFormats_cap_check.patch (580 bytes) - added by maxcutler 2 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 nacin2 years ago

  • Milestone changed from Awaiting Review to 3.4

comment:2 ryan2 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [20566]:

Require the edit_posts capability for wp_getPostFormats.

Props maxcutler.
Fixes #20154

Note: See TracTickets for help on using tickets.