Opened 8 years ago
Last modified 3 years ago
#38076 new defect (bug)
Network admin plugin pages can be accessed on non-multisite
Reported by: | flixos90 | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch dev-feedback |
Focuses: | multisite | Cc: |
Description
I just noticed that it's theoretically possible to access a plugin-generated page in the network admin panel even if we're not on a multisite setup. The same applies to the user admin panel as well.
To replicate, create a plugin that uses add_menu_page()
with a slug my_test_page
, hooked into network_admin_menu
. Then manually go to the URL http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page
.
This happens because the is_multisite()
check happens only after including the general wp-admin/admin.php
administration bootstrap file which takes care of any plugin pages by itself. The problem is we can't do it before because WordPress hasn't been loaded then. A possible solution would be to split the require_once
statement in wp-admin/network/admin.php
into two, one to load the WordPress core functions, the other to load wp-admin/admin.php
.
I don't think this is a very critical issue, but I thought it should be a ticket. It's very unlikely that anyone tries to access a network admin URL when they don't have a multisite. On the other hand, we catch that in other areas (through ! is_multisite()
checks), so we might try to do it here as well.
When I replicate this bug as per instructions in the ticket description, I get a fatal error. I added a patch that redirects to the admin URL when attempting to access a plugin generated page in the network admin panel when multisite is not enabled.