⬆️ ⬇️

Unsafe PHP Speedy Suspended Project for Wordpress

To solve the problem of combining a set of CSS and JS blog files on Wordpress, I did not find anything better than the abandoned PHP Speedy project. (Web Optimizer did not want to install due to the presence of a conflicting plug-in). What was my surprise when I accidentally discovered such insecure code:



// action function for above hook

function mt_add_pages() {

add_options_page('php_speedy_wp.php', 'PHP Speedy', 0, $this->home_url, array(&$this, 'menu_system'));

}



p. 568 source code



Pay attention to the line with the function add_options_page() , which is responsible for adding the menu item "PHP Speedy" in the list of plug-ins to configure it. The 3rd parameter of this function indicates the user level (from 0 to 10) to which the plug-in settings will be available. And for some reason, this parameter is 0, instead of 10. This means that any registered user of your blog will see this item in the console in the menu, and, of course, will be able to configure the plugin as it pleases or even deactivate it.



So, if you still use this plugin and your registration is open, be sure to correct this misunderstanding.


')

Source: https://habr.com/ru/post/118369/



All Articles