Make WordPress Core

Opened 3 years ago

Last modified 7 months ago

#52337 new defect (bug)

Non-numeric attachment_id and p query string params result in posts page

Reported by: timbarkerse's profile timbarkerse Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Query Keywords: has-patch
Focuses: Cc:


We've had a very thorough security review done on our site and the reviewer flagged up that giving a non-numeric parameter to p or attachment_id parameters: e.g. or

returns the posts page of the site. I would expect the 404 page. This behaviour returns the posts page even when we don't want this page to be visible on the site i.e. when the front page is set to a static page and we show the posts in other ways.

I have tested it on a clean install of the latest version of WP with no plugins.

Change History (4)

#1 @timbarkerse
3 years ago

NB: empty attachment_id e.g.

also results in the same behaviour

#2 @SergeyBiryukov
3 years ago

  • Component changed from General to Query

Hi there, welcome to WordPress Trac! Thanks for the report.

Just linking to some related tickets here: #17737, #33372.

#3 @oglekler
7 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

This issue didn't go anyway, I assume it should have been a 404 error and not the home page.

Right now I have a problem and are looking for a way to fix it and not to have broken pages when someone plaing with URL, it isn't good on the site that should be cool and fancy.

I wonder if we can drag it to the next milestone to get more attention.

This ticket was mentioned in PR #5516 on WordPress/wordpress-develop by @oglekler.

7 months ago

  • Keywords has-patch added; needs-patch removed
Note: See TracTickets for help on using tickets.