#5565 closed defect (bug) (invalid)
Plugin can hook into any functions or variables inside WP
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | low | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
A plugin can hook into any functions or variables in WordPress. A simple example is as forth
function hack_wp() {
global $wp_filter;
$wp_filter = array('You can be hacked dude');
check_wp_hack();
}
function check_wp_hack() {
global $wp_filter;
echo "<pre>Checking OKKK";
print_r($wp_filter);
echo "</pre>";
}
add_action('admin_head', 'hack_wp');
Change History (2)
#1
follow-up:
↓ 2
@
18 years ago
- Milestone 2.5 deleted
- Resolution set to invalid
- Status changed from new to closed
#2
in reply to:
↑ 1
@
18 years ago
Replying to darkdragon:
Indeed that has been possible, but the plugin would have to be first enabled by the user. However, from your previous tickets, you have stated that a user might be able to inject plugin code which would disrupt the plugin process.
Re: A hacker can inject SQL which would allow for enabling code which could then be used to enable a plugin which the user did not first activate.
Indeed that has been possible, but the plugin would have to be first enabled by the user. However, from your previous tickets, you have stated that a user might be able to inject plugin code which would disrupt the plugin process.
There is no PHP 4 compatible solution that can solve this however. It is up to the user to make sure that the plugin they are downloading and upgrading is "safe" and up to the community to point out any plugins that aren't.
WordPress can't protect Users from themselves and any hacking attempt that gets this far would need to have the hole that allowed the hacker to initiate code such as this.
This ticket as it stands has no solution or not one that doesn't require forcing PHP5 to use private/protected class members or writing the plugin API as an extension.