Support » Plugin: User Access Manager » serious security flaw at WordPress User Access Manager plugin

  • I am using your User Access Manager plugin (v1.2.1) at my WordPress
    (v3.3.1) installation and have detected a serious security flaw:

    At the UAM settings there are options for completely hide protected
    posts and protected pages. But it is possible to access information
    about protected and hidden posts/pages over the posts and comments RSS feeds. When protected posts/pages are hidden, I would expect one of two options concerning RSS feeds:

    1) these protected posts/pages do not appear at the posts/comments RSS feeds at all unless the user is consuming the feeds authenticated

    2) these protected posts/pages appear masked at the posts/comments RSS feeds with captions for example like “new hidden post/page” and teaser text like “please login to view the post/page”.

    Right now, I have deactivated the otherwise useful RSS feeds of my
    Wordpress installation to keep my protected and hidden posts/pages secure and wait for this to be fixed.

    http://wordpress.org/extend/plugins/user-access-manager/

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘serious security flaw at WordPress User Access Manager plugin’ is closed to new replies.