Ready to get started?Download WordPress


Multipost MU
Security hole (2 posts)

  1. Tom Lynch
    Posted 3 years ago #

    I noticed this evening that if a user is a subscriber to a blog and a administrator of another on a blog network, then from the admin-able blog they can multipost to the blog they subscribe to and the post actually is save to that other blog, defating the entire wordpress capabilities system.

    It needs to check before posting.

  2. tmuka
    Plugin Author

    Posted 3 years ago #

    Hi Tom, thanks for the report, i've confirmed that this is currently the case since we're just using the "get_blogs_of_user" function to populate the list for admin users. We'll add some user permissions checking in a future release.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic