Contributors can publish directly while not supposed to!

  • Author
    Posts
  • #1076135

    jhroy
    Member

    Discovered the following security issue on WP.com.

    Anyone else has experienced it?

    [security issue redacted]

    Jean-Hugues Roy
    prof. UQAM, Montréal, QC, Canada

    #1076241

    timethief
    Member

    I’ve flagged this thread for Staff attention.

    #1076254

    kathrynwp
    Staff

    Thank you for letting us know – we are investigating and appreciate your thorough report.

    In future, it’s safer for everyone if you don’t post potential security issues publicly before a fix is in place. You can either use this form – http://automattic.com/security/ – or email security AT wordpress.com.

    Thanks very much.

    #1076255

    timethief
    Member

    Thanks for that link Kathryn. I fired off an email.

    #1076289

    jhroy
    Member

    Thanks timethief and Kathryn!

    Sorry to do so publicly. The issue was unknown to peers.

    JHR

    #1076327

    stephdau
    Staff

    We were able to reproduce the problem and it has now been fixed. You should no longer have such issues. Thanks for the detailed report, but please indeed contact us via our security page, should you ever find another such issue, as it’s by far the fastest way for us to be made aware and deploy a fix.

    Best regards.

    #1076330

    timethief
    Member
    #1076333

    kathrynwp
    Staff

    Yes, that sounds like the same issue – thanks a lot, I’ll reply there.

    #1076434

    jhroy
    Member

    Thanks for fixing the issue! I was not alone. You’re fast! :-)

    JHRoy
    Montreal

    #1076436

    timethief
    Member

    @jhroy
    You’re welcome from me and I’m happy to know Staff fixed this so quickly. WordPress.com Staff rock!

    #1076597

    stephdau
    Staff

    Thanks for the cross-link @timethief. Good catch, as per your usual. :)

    @jhroy: bienvenue, et merci encore pour le rapport. :)

The topic ‘Contributors can publish directly while not supposed to!’ is closed to new replies.