WordPress.com Forums » Tag: automattic security link - Recent Posts

stephdau on "Contributors can publish directly while not supposed to!"

stephdau — Mon, 26 Nov 2012 18:57:42 +0000

Thanks for the cross-link @timethief. Good catch, as per your usual. :)

@jhroy: bienvenue, et merci encore pour le rapport. :)

timethief on "Contributors can publish directly while not supposed to!"

timethief — Wed, 21 Nov 2012 23:04:33 +0000

@jhroy
You're welcome from me and I'm happy to know Staff fixed this so quickly. WordPress.com Staff rock!

jhroy on "Contributors can publish directly while not supposed to!"

jhroy — Wed, 21 Nov 2012 23:03:01 +0000

Thanks for fixing the issue! I was not alone. You're fast! :-)

JHRoy
Montreal

kathrynwp on "Contributors can publish directly while not supposed to!"

kathrynwp — Wed, 21 Nov 2012 20:16:45 +0000

Yes, that sounds like the same issue - thanks a lot, I'll reply there.

timethief on "Contributors can publish directly while not supposed to!"

timethief — Wed, 21 Nov 2012 20:12:50 +0000

@stephdau
Is this a related issue here > http://en.forums.wordpress.com/topic/user-roles-error?replies=3

stephdau on "Contributors can publish directly while not supposed to!"

stephdau — Wed, 21 Nov 2012 20:08:21 +0000

We were able to reproduce the problem and it has now been fixed. You should no longer have such issues. Thanks for the detailed report, but please indeed contact us via our security page, should you ever find another such issue, as it's by far the fastest way for us to be made aware and deploy a fix.

Best regards.

jhroy on "Contributors can publish directly while not supposed to!"

jhroy — Wed, 21 Nov 2012 18:40:35 +0000

Thanks timethief and Kathryn!

Sorry to do so publicly. The issue was unknown to peers.

JHR

timethief on "Contributors can publish directly while not supposed to!"

timethief — Wed, 21 Nov 2012 18:07:22 +0000

Thanks for that link Kathryn. I fired off an email.

kathrynwp on "Contributors can publish directly while not supposed to!"

kathrynwp — Wed, 21 Nov 2012 18:06:24 +0000

Thank you for letting us know - we are investigating and appreciate your thorough report.

In future, it's safer for everyone if you don't post potential security issues publicly before a fix is in place. You can either use this form - http://automattic.com/security/ - or email security AT wordpress.com.

Thanks very much.

timethief on "Contributors can publish directly while not supposed to!"

timethief — Wed, 21 Nov 2012 17:26:31 +0000

I've flagged this thread for Staff attention.

jhroy on "Contributors can publish directly while not supposed to!"

jhroy — Wed, 21 Nov 2012 16:59:14 +0000

Discovered the following security issue on WP.com.

Anyone else has experienced it?

[security issue redacted]

Jean-Hugues Roy
prof. UQAM, Montréal, QC, Canada