WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 4 months ago

#34253 new defect (bug)

wp_insert_post() can assign a random, unauthorized user_id's

Reported by: Cybr Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3.1
Component: Posts, Post Types Keywords:
Focuses: administration Cc:
PR Number:

Description

Hello,

When using wp_insert_post, the get_current_user_id() function is being called when post_author is left empty.

When updating a plugin, and this function appears, you would assume the admin (whoever updated the plugin) would "insert the post".

But this is not always the case, for instance when you update the plugin through FTP, or use auto-update, or static Opcode caching, etc.

However, the admin area is accessible to many on a multisite environment with open registrations. But is also accessible by subscribers, if permitted. The user who accesses the admin area first after updating the code be assigned as post author.

An example code below will show you the defect in action, on a Multisite environment:

// Update 'plugin' here, log out and flush opcode cache.
// This 'plugin' now executes the following code in admin_init:

// Some options.
$the_post_id = false;
$main_blog = 0;
$post_title = 'About WordPress';
$post_content = 'WordPress is great!';
$post_id_option = 'the_inserted_post_id';

// Switch to main blog
switch_to_blog( $main_blog );

// Prevent code from running twice with option
$page = get_post( get_option( $post_id_option ) );

if ( !$page ) {
// Page doesn't exist yet
	
	// Insert post
	$the_post_id = wp_insert_post( array(
		'post_title'     => $post_title,
		'post_status'    => 'publish',
		'post_type'      => 'page',
		'post_content'   => $post_content
	) );

}

if ( $the_post_id ) {
	// Prevent code from running twice by updating option.
	update_option( $post_id_option, $the_post_id );
}

// Back to current blog.
restore_current_blog();

A resolution would be to check if the current user has rights to post content. Either by default or parameter.
Even more so, assign the site admin if the current_user_can() check fails.

Thanks!

Change History (1)

#1 @SergeyBiryukov
4 years ago

Related/duplicate: #19373

Note: See TracTickets for help on using tickets.