WordPress.org
Get WordPress

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#35370 closed defect (bug) (invalid)

wp-activate.php use unfilter value in database query

Reported by: alifamoorzadeh's profile alifamoorzadeh Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.1
Component: Login and Registration Keywords:
Focuses: multisite Cc:

Description (last modified by SergeyBiryukov)

hello
in file "wp-activate.php" lines:

86: $key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
87: $result = wpmu_activate_signup( $key );

passed user input value to wpmu_activate_signup function without filter then this function use value in db query.

Change History (3)

#1 @ocean90
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hello @alifamoorzadeh, thanks for the report.

In wpmu_activate_signup() the$key value gets escaped in tags/4.4.1/src/wp-includes/ms-functions.php#L955 through the use of $wpdb->prepare() (code ref), means we don't use unfiltered values in the query.

Since this report was about a potential security issue please keep this mind:

Do not report potential security vulnerabilities here.
See the Security FAQ and contact security@wordpress.org.

Last edited 10 years ago by ocean90 (previous) (diff)

#2 @SergeyBiryukov
9 years ago

  • Description modified (diff)

#3 @SergeyBiryukov
9 years ago

  • Component changed from General to Login and Registration
  • Focuses multisite added
Note: See TracTickets for help on using tickets.