WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 7 months ago

#38076 new defect (bug)

Network admin plugin pages can be accessed on non-multisite

Reported by: flixos90 Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Administration Keywords: needs-patch
Focuses: multisite Cc:
PR Number:

Description

I just noticed that it's theoretically possible to access a plugin-generated page in the network admin panel even if we're not on a multisite setup. The same applies to the user admin panel as well.

To replicate, create a plugin that uses add_menu_page() with a slug my_test_page, hooked into network_admin_menu. Then manually go to the URL http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page.

This happens because the is_multisite() check happens only after including the general wp-admin/admin.php administration bootstrap file which takes care of any plugin pages by itself. The problem is we can't do it before because WordPress hasn't been loaded then. A possible solution would be to split the require_once statement in wp-admin/network/admin.php into two, one to load the WordPress core functions, the other to load wp-admin/admin.php.

I don't think this is a very critical issue, but I thought it should be a ticket. It's very unlikely that anyone tries to access a network admin URL when they don't have a multisite. On the other hand, we catch that in other areas (through ! is_multisite() checks), so we might try to do it here as well.

Change History (1)

#1 @desrosj
7 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.