I am using your User Access Manager plugin (v1.2.1) at my WordPress
(v3.3.1) installation and have detected a serious security flaw:
At the UAM settings there are options for completely hide protected
posts and protected pages. But it is possible to access information
about protected and hidden posts/pages over the posts and comments RSS feeds. When protected posts/pages are hidden, I would expect one of two options concerning RSS feeds:
1) these protected posts/pages do not appear at the posts/comments RSS feeds at all unless the user is consuming the feeds authenticated
2) these protected posts/pages appear masked at the posts/comments RSS feeds with captions for example like “new hidden post/page” and teaser text like “please login to view the post/page”.
Right now, I have deactivated the otherwise useful RSS feeds of my
Wordpress installation to keep my protected and hidden posts/pages secure and wait for this to be fixed.
- The topic ‘serious security flaw at WordPress User Access Manager plugin’ is closed to new replies.