Opened 2 years ago
Last modified 2 years ago
#52337 new defect (bug)
Non-numeric attachment_id and p query string params result in posts page
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Query | Keywords: | |
Focuses: | Cc: |
Description
We've had a very thorough security review done on our site and the reviewer flagged up that giving a non-numeric parameter to p or attachment_id parameters: e.g.
site.com/?p=c or
site.com/?attachment_id=c
returns the posts page of the site. I would expect the 404 page. This behaviour returns the posts page even when we don't want this page to be visible on the site i.e. when the front page is set to a static page and we show the posts in other ways.
I have tested it on a clean install of the latest version of WP with no plugins.
Change History (2)
Note: See
TracTickets for help on using
tickets.
NB: empty attachment_id e.g.
site.com/?attachment_id=
also results in the same behaviour