Opened 15 years ago
Closed 15 years ago
#3410 closed defect (bug) (fixed)
Security : wp-admin/users.php No role user can list all wp users
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 2.1 | Priority: | highest omg bbq |
Severity: | critical | Version: | 2.1 |
Component: | Security | Keywords: | security users.php has-patch |
Focuses: | Cc: |
Description
A simple user, even without role can list every WP users.
- Just login to WP with a basic account
- Type /wp-admin/users.php at the end of the URL
Then it lists every users, with email and others...
Attachments (1)
Change History (5)
#1
@
15 years ago
- Keywords has-patch added
- Owner changed from anonymous to westi
- Status changed from new to assigned
- Version set to 2.1
#2
@
15 years ago
2.0.5 / branches/2.0 is safe from this issue already:
"You do not have sufficient permissions to access this page." - protected by the menu.php capabilities checks.
Note: See
TracTickets for help on using
tickets.
Confirm this works on trunk.
Attaching simple patch which just blocks you accessing users.php as I can't see a need for someone without edit_users accessing it.