Opened 21 months ago
Security feature for Widget Logic
|Reported by:||outis||Owned by:|
|Severity:||major||Keywords:||widget-logic security capabilities has-patch|
The description for Widget Logic notes:
Anyone who has access to edit widget appearance will have the right to add any code, including malicious and possibly destructive functions.
There are mitigating factors for this, such as the "edit_theme_options" capability (required to view the Widgets options page in WP 3.0 and later) is only granted by default to administrators and the super admin. Even so, Widget Logic could benefit from a measure of security.
The attached patch addresses this by using WP capabilities. It adds an option that is used to store a capability, defaulting to "administrator" and set by a text input (placed next to the other WL options). WL admin actions are only added if the current user has this capability. Additionally, widget_logic_expand_control, widget_logic_options_filter and widget_logic_widget_update_callback also check that the current user has the configured capability; if not, they exit before performing any processing.