Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#4786 closed defect (bug) (fixed)

Recent Entries widget caches Private Post titles

Reported by: lybica Owned by:
Milestone: 2.3 Priority: normal
Severity: normal Version: 2.2.2
Component: Security Keywords: cache, private
Focuses: Cc:


Recent Entries widget uses wp_cache_*() functions if ENABLE_CACHE is set.
However, if a user with the capability to 'read_private_posts' is logged in and triggered wp_cache_add(), private posts (only titles, though) are also cached and displayed to the public/unregistered viewers for the lifetime of the cache, effectively bypassing the is_user_logged_in() and current_user_can() in WP_Query::get_posts().

Change History (3)

#1 @foolswisdom
8 years ago

  • Milestone changed from 2.4 (future) to 2.3 (trunk)

#2 @ryan
8 years ago

Adding post_status=publish to the query will restrict to published posts.

#3 @ryan
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5973]) Limit recent entries query to published posts. fixes #4786

Note: See TracTickets for help on using tickets.