WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#26645 closed defect (bug) (duplicate)

Possible upgrage to wrong theme/plugin

Reported by: meloniq Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9
Component: Upgrade/Install Keywords:
Focuses: Cc:
PR Number:

Description

Component: api.wordpress.org/(themes|plugins)/update-check/

Upgrade can be done to wrong theme, if theme with that same name is listed in WP repository.

Scenario:

  • I have created 'Twenty Fifteen' theme, version 0.9 (for personal use)
  • Month later WP team release in WP repository new 'Twenty Fifteen' theme, version 1.0
  • WP Upgrader receive information that there is available update for my theme
  • On upgrade my theme is overriden with the WP one

This 'security hole' can be used by some theme/plugin authors, to create equivalents of commercial products that will get overridden on next upgrade.

Possible solution:

WP API could check some additional param (like Author) before returning results about available update.

(sidenote) I could add a filter to my theme, to exclude it from checking it in WP API, but it will only work when my theme is active.

Change History (1)

#1 @SergeyBiryukov
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14179.

Note: See TracTickets for help on using tickets.