WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 6 months ago

Last modified 6 months ago

#47820 closed feature request (fixed)

should update_option() check "manage_options" capability?

Reported by: lllor Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: good-first-bug has-patch dev-feedback
Focuses: docs Cc:

Description

As in the summary, please consider improving the security of update_option() by checking the related capability.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

Otherwise, a vulnerability may occur, as recently happened in the ND Shortcodes For Visual Composer plugin:

https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-shortcodes-for-visual-composer-plugin/

Cheers.

Attachments (2)

47820.diff (623 bytes) - added by dinhtungdu 7 months ago.
47820.2.diff (624 bytes) - added by dinhtungdu 7 months ago.
Fix grammar issues.

Download all attachments as: .zip

Change History (11)

#1 @mukesh27
7 months ago

  • Keywords dev-feedback added
  • Version 5.2.2 deleted

#2 follow-up: @SergeyBiryukov
7 months ago

  • Keywords needs-patch added; dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

#3 in reply to: ↑ 2 ; follow-up: @lllor
7 months ago

Replying to SergeyBiryukov:

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

#4 in reply to: ↑ 3 ; follow-up: @SergeyBiryukov
7 months ago

  • Focuses docs added
  • Keywords good-first-bug added
  • Milestone changed from Future Release to 5.3

Replying to lllor:

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

It should be used for updating an option value in the database (instead of direct SQL queries, for example).

As you wrote in the ticket description, it's plugin author's responsibility to check the appropriate capabilities before saving any option changes.

Marking as a good-first-bug to reflect that in the function documentation.

@dinhtungdu
7 months ago

#5 in reply to: ↑ 4 @dinhtungdu
7 months ago

Replying to SergeyBiryukov:

Marking as a good-first-bug to reflect that in the function documentation.

I updated the doc of update_option to reflect the topic we discussed here.

@dinhtungdu
7 months ago

Fix grammar issues.

#6 @dinhtungdu
7 months ago

  • Keywords has-patch dev-feedback added; needs-patch removed

#7 @SergeyBiryukov
6 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#8 @SergeyBiryukov
6 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46120:

Docs: Clarify in update_option() description that it's plugin author's responsibility to check the current user's capabilities before saving any option changes.

Props dinhtungdu, lllor.
Fixes #47820.

#9 @SergeyBiryukov
6 months ago

In 46121:

Coding Standards: Fix WPCS issue in [46120].

See #47820.

Note: See TracTickets for help on using tickets.