WordPress.org

Forums

User Access Manager
serious security flaw at WordPress User Access Manager plugin (3 posts)

  1. edehner49
    Member
    Posted 3 years ago #

    I am using your User Access Manager plugin (v1.2.1) at my WordPress
    (v3.3.1) installation and have detected a serious security flaw:

    At the UAM settings there are options for completely hide protected
    posts and protected pages. But it is possible to access information
    about protected and hidden posts/pages over the posts and comments RSS feeds. When protected posts/pages are hidden, I would expect one of two options concerning RSS feeds:

    1) these protected posts/pages do not appear at the posts/comments RSS feeds at all unless the user is consuming the feeds authenticated

    2) these protected posts/pages appear masked at the posts/comments RSS feeds with captions for example like "new hidden post/page" and teaser text like "please login to view the post/page".

    Right now, I have deactivated the otherwise useful RSS feeds of my
    Wordpress installation to keep my protected and hidden posts/pages secure and wait for this to be fixed.

    http://wordpress.org/extend/plugins/user-access-manager/

  2. Mark (podz)
    Support Maven
    Posted 3 years ago #

    Please send full details to plugins@wordpress.org and we will take it from there.

  3. GM_Alex
    Member
    Plugin Author

    Posted 3 years ago #

    Hi,

    the RSS feed is cached by the browser, clear the cache and it will work like expected.

    Bye,
    Alex

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • User Access Manager
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic