WordPress.org

Make WordPress Core

Opened 7 weeks ago

Closed 2 days ago

Last modified 45 hours ago

#47820 closed feature request (fixed)

should update_option() check "manage_options" capability?

Reported by: lllor Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: good-first-bug has-patch dev-feedback
Focuses: docs Cc:

Description

As in the summary, please consider improving the security of update_option() by checking the related capability.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

Otherwise, a vulnerability may occur, as recently happened in the ND Shortcodes For Visual Composer plugin:

https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-shortcodes-for-visual-composer-plugin/

Cheers.

Attachments (2)

47820.diff (623 bytes) - added by dinhtungdu 5 weeks ago.
47820.2.diff (624 bytes) - added by dinhtungdu 5 weeks ago.
Fix grammar issues.

Download all attachments as: .zip

Change History (11)

#1 @mukesh27
7 weeks ago

  • Keywords dev-feedback added
  • Version 5.2.2 deleted

#2 follow-up: @SergeyBiryukov
6 weeks ago

  • Keywords needs-patch added; dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

#3 in reply to: ↑ 2 ; follow-up: @lllor
6 weeks ago

Replying to SergeyBiryukov:

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

#4 in reply to: ↑ 3 ; follow-up: @SergeyBiryukov
6 weeks ago

  • Focuses docs added
  • Keywords good-first-bug added
  • Milestone changed from Future Release to 5.3

Replying to lllor:

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

It should be used for updating an option value in the database (instead of direct SQL queries, for example).

As you wrote in the ticket description, it's plugin author's responsibility to check the appropriate capabilities before saving any option changes.

Marking as a good-first-bug to reflect that in the function documentation.

@dinhtungdu
5 weeks ago

#5 in reply to: ↑ 4 @dinhtungdu
5 weeks ago

Replying to SergeyBiryukov:

Marking as a good-first-bug to reflect that in the function documentation.

I updated the doc of update_option to reflect the topic we discussed here.

@dinhtungdu
5 weeks ago

Fix grammar issues.

#6 @dinhtungdu
5 weeks ago

  • Keywords has-patch dev-feedback added; needs-patch removed

#7 @SergeyBiryukov
4 weeks ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#8 @SergeyBiryukov
2 days ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46120:

Docs: Clarify in update_option() description that it's plugin author's responsibility to check the current user's capabilities before saving any option changes.

Props dinhtungdu, lllor.
Fixes #47820.

#9 @SergeyBiryukov
45 hours ago

In 46121:

Coding Standards: Fix WPCS issue in [46120].

See #47820.

Note: See TracTickets for help on using tickets.