User Access Manager
serious security flaw at WordPress User Access Manager plugin (3 posts)

  1. edehner49
    Posted 4 years ago #

    I am using your User Access Manager plugin (v1.2.1) at my WordPress
    (v3.3.1) installation and have detected a serious security flaw:

    At the UAM settings there are options for completely hide protected
    posts and protected pages. But it is possible to access information
    about protected and hidden posts/pages over the posts and comments RSS feeds. When protected posts/pages are hidden, I would expect one of two options concerning RSS feeds:

    1) these protected posts/pages do not appear at the posts/comments RSS feeds at all unless the user is consuming the feeds authenticated

    2) these protected posts/pages appear masked at the posts/comments RSS feeds with captions for example like "new hidden post/page" and teaser text like "please login to view the post/page".

    Right now, I have deactivated the otherwise useful RSS feeds of my
    Wordpress installation to keep my protected and hidden posts/pages secure and wait for this to be fixed.


  2. Mark (podz)
    Support Maven
    Posted 4 years ago #

    Please send full details to plugins@wordpress.org and we will take it from there.

  3. GM_Alex
    Plugin Author

    Posted 4 years ago #


    the RSS feed is cached by the browser, clear the cache and it will work like expected.


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • User Access Manager
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic