Opened 17 years ago
Closed 17 years ago
#4786 closed defect (bug) (fixed)
Recent Entries widget caches Private Post titles
Reported by: | lybica | Owned by: | |
---|---|---|---|
Milestone: | 2.3 | Priority: | normal |
Severity: | normal | Version: | 2.2.2 |
Component: | Security | Keywords: | cache, private |
Focuses: | Cc: |
Description
Recent Entries widget uses wp_cache_*() functions if ENABLE_CACHE is set.
However, if a user with the capability to 'read_private_posts' is logged in and triggered wp_cache_add(), private posts (only titles, though) are also cached and displayed to the public/unregistered viewers for the lifetime of the cache, effectively bypassing the is_user_logged_in() and current_user_can() in WP_Query::get_posts().
Change History (3)
Note: See
TracTickets for help on using
tickets.
Adding post_status=publish to the query will restrict to published posts.