Context Navigation

← Previous Ticket
Next Ticket →

#52337 new defect (bug)

Non-numeric attachment_id and p query string params result in posts page

Reported by:	timbarkerse	Owned by:
Milestone:	Awaiting Review	Priority:	normal
Severity:	normal	Version:
Component:	Query	Keywords:
Focuses:		Cc:

Description

We've had a very thorough security review done on our site and the reviewer flagged up that giving a non-numeric parameter to p or attachment_id parameters: e.g.

site.com/?p=c or
site.com/?attachment_id=c

returns the posts page of the site. I would expect the 404 page. This behaviour returns the posts page even when we don't want this page to be visible on the site i.e. when the front page is set to a static page and we show the posts in other ways.

I have tested it on a clean install of the latest version of WP with no plugins.

Change History (2)

#1 @timbarkerse
2 years ago

NB: empty attachment_id e.g.
site.com/?attachment_id=

also results in the same behaviour

#2 @SergeyBiryukov
2 years ago

Component changed from General to Query

Hi there, welcome to WordPress Trac! Thanks for the report.

Just linking to some related tickets here: #17737, #33372.

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core