#6838 closed defect (bug) (fixed)
Any user is able to edit attachments
Reported by: | xknown | Owned by: | |
---|---|---|---|
Milestone: | 2.5.1 | Priority: | normal |
Severity: | normal | Version: | 2.5 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Any user that knows the ID of an attachment is able to edit some attributes of it.
Steps to reproduce the problem:
- Log in as an unprivileged user.
- Access directly to the following URL:
http://site/wp/wp-admin/media.php?action=edit&attachment_id=ATTACHMENT_ID
- Press "Save Changes" button.
Attachments (2)
Note: See
TracTickets for help on using
tickets.
Check upload_files capability