Opened 3 years ago
Closed 3 years ago
#54494 closed defect (bug) (duplicate)
Malicious requests cause warnings and, in later PHP versions, fatal errors.
Reported by: | kavelach | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.8.2 |
Component: | Query | Keywords: | |
Focuses: | Cc: |
Description
Browsing logs I stumbled upon issues generated by visits to my website with the following path:
/user/password?name[%23markup]=assert&name[%23post_render][0]=array_map&name[%23suffix]=eval(%24_POST[c])%3B%2F%2F&name[%23type]=markup&test=true
I've spun up a completely new WP instance to test it out without any plugins and with one of the default themes, and sure enough, the issue still happens. I've enabled WP_DEBUG so you can see the warning:
https://wp.yuno.kavela.ch/user/password?name[%23markup]=assert&name[%23post_render][0]=array_map&name[%23suffix]=eval(%24_POST[c])%3B%2F%2F&name[%23type]=markup&test=true
In later versions of PHP, this causes a full-on fatal error, not only a warning.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Hi there, welcome back to WordPress Trac!
Thanks for the report, we're already tracking this issue in #17737.