WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6838 closed defect (bug) (fixed)

Any user is able to edit attachments

Reported by: xknown Owned by:
Milestone: 2.5.1 Priority: normal
Severity: normal Version: 2.5
Component: Security Keywords:
Focuses: Cc:

Description

Any user that knows the ID of an attachment is able to edit some attributes of it.

Steps to reproduce the problem:

  1. Log in as an unprivileged user.
  2. Access directly to the following URL:

http://site/wp/wp-admin/media.php?action=edit&attachment_id=ATTACHMENT_ID

  1. Press "Save Changes" button.

Attachments (2)

6838.patch (408 bytes) - added by xknown 7 years ago.
Check upload_files capability
6838.diff (639 bytes) - added by mdawaffe 7 years ago.

Download all attachments as: .zip

Change History (7)

@xknown7 years ago

Check upload_files capability

comment:1 @ryan7 years ago

(In [7827]) Add cap checks. see #6838

comment:2 @ryan7 years ago

(In [7828]) Add cap checks. see #6838

comment:3 @ryan7 years ago

I tried it with an edit_post check.

@mdawaffe7 years ago

comment:4 @ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7829]) Move cap check up. Props mdawaffe. fixes #6838 for trunk

comment:5 @ryan7 years ago

(In [7830]) Move cap check up. Props mdawaffe. fixes #6838 for trunk

Note: See TracTickets for help on using tickets.