Minor fixes and updates #542
Conversation
| $lcp_content = get_the_password_form($single); | ||
| return $lcp_content; |
There was a problem hiding this comment.
@klemens-st I think it's ok to just return the content here, without the filters and replace we do in the else branch. Since get_the_password_form applies its own filters. The goal is not to show the content unless you've submitted the right password.
From my tests, if you input the right password, WordPress redirects you to the page and if you go back to where the posts are listed, it does show the content (if content=yes and show_protected=yes are set).
There was a problem hiding this comment.
Yes, it works nicely and yes the get_the_password_form function seems to return display ready HTML and doesn't need further filters.
|
@picandocodigo I'll have a look and review tomorrow. Should probably also make sure the content isn't manualny fetched by any other features of the plugin so that this doesn't get resubmitted as a vulnerability. |
There was a problem hiding this comment.
The password protection fix is sufficient I think, but the issue with statuses is somewhat complicated and I'm not sure what is expected of us exactly. I've written in comments all I could think of but right now I don't have enough time to come up with a comprehensive fix. Perhaps later next week if you haven't solved it already by then.
| private function sanitize_status($statuses){ | ||
| if (in_array('private', $statuses) || in_array('draft', $statuses)) { | ||
| if ( !( current_user_can('editor') || current_user_can('administrator')) ) { | ||
| $private_index = array_search('private', $statuses); | ||
| unset($statuses[$private_index]); | ||
| $draft_index = array_search('draft', $statuses); | ||
| unset($statuses[$draft_index]); | ||
| } | ||
| } | ||
| return implode(',', $statuses); |
There was a problem hiding this comment.
When array_search returns false, the unset statement destroys the first element of an array. Unfortunately PHP's type juggling converts false to 0 in numeric contexts so this method doesn't work as intended. Easiest fix:
private function sanitize_status($statuses){
if (in_array('private', $statuses) || in_array('draft', $statuses)) {
if ( !( current_user_can('editor') || current_user_can('administrator')) ) {
$private_index = array_search('private', $statuses);
if ($private_index !== false) {
unset($statuses[$private_index]);
}
$draft_index = array_search('draft', $statuses);
if ($draft_index !== false) {
unset($statuses[$draft_index]);
}
}
}
return implode(',', $statuses);There was a problem hiding this comment.
Is the vulnerability anly about private and draft statuses? What about other statuses like pending or future? Once this method is fixed, users with Author role will be able to do e.g. [catlist post_status=future] and display a list of all scheduled posts to the public Internet, which will probably also raise some oversensitive eyebrows ;)
Another problem is this section of lcp-parameters.php:
List-Category-Posts/include/lcp-parameters.php
Lines 78 to 85 in b7a52be
No need to delete it but maybe just add a check if a user is Editor or Administrator.
| $lcp_content = get_the_password_form($single); | ||
| return $lcp_content; |
There was a problem hiding this comment.
Yes, it works nicely and yes the get_the_password_form function seems to return display ready HTML and doesn't need further filters.
|
@klemens-st Thanks! I'll add that fix for the The report only talks about |
|
@picandocodigo Sure, as I said I'm going to have some time later this week so will be able to fix whatever is necesarry. I've just had another thought about the new |
2 participants
CVE-2025-11377, Authenticated (Contributor+) Information Exposure. `This is a low risk vulnerability that could potentially be executed by an authenticated attacker, with contributor-level access and above. But it should be fixed with this version.