serious security flaw at WordPress User Access Manager plugin | WordPress.org

edehner49
(@edehner49)

12 years, 2 months ago

I am using your User Access Manager plugin (v1.2.1) at my WordPress
(v3.3.1) installation and have detected a serious security flaw:

At the UAM settings there are options for completely hide protected
posts and protected pages. But it is possible to access information
about protected and hidden posts/pages over the posts and comments RSS feeds. When protected posts/pages are hidden, I would expect one of two options concerning RSS feeds:

1) these protected posts/pages do not appear at the posts/comments RSS feeds at all unless the user is consuming the feeds authenticated

2) these protected posts/pages appear masked at the posts/comments RSS feeds with captions for example like “new hidden post/page” and teaser text like “please login to view the post/page”.

Right now, I have deactivated the otherwise useful RSS feeds of my
Wordpress installation to keep my protected and hidden posts/pages secure and wait for this to be fixed.

http://wordpress.org/extend/plugins/user-access-manager/

Viewing 2 replies - 1 through 2 (of 2 total)

Mark (podz)
(@podz)

12 years, 2 months ago

Please send full details to plugins@wordpress.org and we will take it from there.

Plugin Author GM_Alex
(@gm_alex)

12 years, 1 month ago

Hi,

the RSS feed is cached by the browser, clear the cache and it will work like expected.

Bye,
Alex

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘serious security flaw at WordPress User Access Manager plugin’ is closed to new replies.

In: Plugins
2 replies
3 participants
Last reply from: GM_Alex
Last activity: 12 years, 1 month ago
Status: not resolved