WordPress.org

Ready to get started?Download WordPress

Forums

Frontier Post
Short code can be removed by users? (5 posts)

  1. localsports
    Member
    Posted 5 months ago #

    While testing out Frontier Post, I went to the front end editor and instead of typing in a post I just hit the save button. I expected to see an error message that said fields missing or something similar but instead the front end editor came back up with the [frontier-post] displaying in the editor. I then removed the short code [frontier-post] and typed test page and hit save. After that, each time I clicked the create post button, it took me to a page that said "test page" and nothing else. I then created a new username and assigned the editor role to it. Once again I repeated the same steps and once again the create post page was replaced with a page that said test page.

    So does this mean that anyone who has the ability to make posts can break the site by simply pressing the save button before typing anything into the front end editor and then when the page comes back up, remove the [frontier-post] short code?

    https://wordpress.org/plugins/frontier-post/

  2. localsports
    Member
    Posted 5 months ago #

    Does anyone have a solution to this. I would appear that the issue is a major bug if you allow users to submit posts.

  3. finnj
    Member
    Plugin Author

    Posted 5 months ago #

    I will look into this

  4. finnj
    Member
    Plugin Author

    Posted 5 months ago #

    Hi

    I have done some testing but cant recreate the problem. This being said I recognize there is a problem in the code.

    I need to understand if a user profile that isn't allowed to edit pages can do this.

    I suspect it only is editors and admins that will be able to do this, and they would be able to edit the page anyway - can you please confirm this.

    I still need to fix. It means that I need to implement validation, which is on the roadmap anyway.

    If authors or below is able to edit pages, I need to do an emergency fix- but as I see it is only profiles that could edit the page anyway that is able to do this

  5. localsports
    Member
    Posted 5 months ago #

    Yes you are correct, on closer inspection only users who have authority to edit other users posts can remove the shortcode. Otherwise if they try to remove the code, they get a message that says they cannot edit the post.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.