Opened 10 years ago
Closed 10 years ago
#26645 closed defect (bug) (duplicate)
Possible upgrage to wrong theme/plugin
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.9 |
| Component: | Upgrade/Install | Keywords: | |
| Focuses: | Cc: |
Description
Component: api.wordpress.org/(themes|plugins)/update-check/
Upgrade can be done to wrong theme, if theme with that same name is listed in WP repository.
Scenario:
- I have created 'Twenty Fifteen' theme, version 0.9 (for personal use)
- Month later WP team release in WP repository new 'Twenty Fifteen' theme, version 1.0
- WP Upgrader receive information that there is available update for my theme
- On upgrade my theme is overriden with the WP one
This 'security hole' can be used by some theme/plugin authors, to create equivalents of commercial products that will get overridden on next upgrade.
Possible solution:
WP API could check some additional param (like Author) before returning results about available update.
(sidenote) I could add a filter to my theme, to exclude it from checking it in WP API, but it will only work when my theme is active.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Duplicate of #14179.