WordPress should not include a file indicated by a URL query string that has not been specified in an add_submenu_page call
|Reported by:||johnbillion||Owned by:|
Brought up on wp-hackers: http://comox.textdrive.com/pipermail/wp-hackers/2007-November/016405.html
It's possible to include any file within the plugins directory into the admin interface simply by passing the filename as the page parameter to any file within wp-admin.
Steps to reproduce:
- Login to your WordPress admin panel and visit the following URL: www.yourblog.com/wp-admin/edit.php?page=hello.php
- The file wp-content/plugins/hello.php will be include()-ed and will be in the scope of all the WordPress functions.
Try it with any file you have in your plugins directory. The activation status of a plugin is irrelevant as any file within the plugins directory can be included, including those in subdirectories (eg. akismet/akismet.php).
Only files that have been specified as the file paramemeter in add_submenu_page (or any of the wrapper functions) should be included via the page parameter in wp-admin.
Change History (15)
- Component changed from Administration to Menus
- Milestone changed from 2.9 to Future Release
- Type changed from defect (bug) to enhancement