Opened 4 years ago
Last modified 4 years ago
#52048 assigned enhancement
the functions activate_plugin and deactivate_plugin need validation
Reported by: | giuse | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Plugins | Keywords: | |
Focuses: | Cc: |
Description
The function activate_plugin https://core.trac.wordpress.org/browser/tags/5.6/src/wp-admin/includes/plugin.php#L633 would need the validation of the array of plugins before saving it.
For normal installations, the current plugins are taken by
$current = get_option( 'active_plugins', array() );
For multisites they are taken by:
get_site_option( 'active_sitewide_plugins', array() );
Both the result of get_option( 'active_plugins', array() ) and get_site_option( 'active_sitewide_plugins', array() ) can be filtered by plugins, so you can't know if $current is a valid array of plugins.
At least, $current should be unique, so I would add
$current = array_unique( $current );
Then I would also check if the plugin files exist before saving the array of active plugins.
I would do the same validation for the function deactivate_plugins https://core.trac.wordpress.org/browser/tags/5.6/src/wp-admin/includes/plugin.php#L633
The
$current
code was introduced in Version 3.0 per #11767, [12903].