Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#52337 new defect (bug)

Non-numeric attachment_id and p query string params result in posts page

Reported by: timbarkerse's profile timbarkerse Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Query Keywords:
Focuses: Cc:


We've had a very thorough security review done on our site and the reviewer flagged up that giving a non-numeric parameter to p or attachment_id parameters: e.g. or

returns the posts page of the site. I would expect the 404 page. This behaviour returns the posts page even when we don't want this page to be visible on the site i.e. when the front page is set to a static page and we show the posts in other ways.

I have tested it on a clean install of the latest version of WP with no plugins.

Change History (2)

#1 @timbarkerse
2 years ago

NB: empty attachment_id e.g.

also results in the same behaviour

#2 @SergeyBiryukov
2 years ago

  • Component changed from General to Query

Hi there, welcome to WordPress Trac! Thanks for the report.

Just linking to some related tickets here: #17737, #33372.

Note: See TracTickets for help on using tickets.