Plugin Directory

Opened 6 years ago

#1498 new enhancement

Security feature for Widget Logic

Reported by: outis Owned by:
Priority: normal Severity: major
Plugin: not-listed Keywords: widget-logic security capabilities has-patch
Cc: alanft


The description for Widget Logic notes:

Anyone who has access to edit widget appearance will have the right to add any code, including malicious and possibly destructive functions.

There are mitigating factors for this, such as the "edit_theme_options" capability (required to view the Widgets options page in WP 3.0 and later) is only granted by default to administrators and the super admin. Even so, Widget Logic could benefit from a measure of security.

The attached patch addresses this by using WP capabilities. It adds an option that is used to store a capability, defaulting to "administrator" and set by a text input (placed next to the other WL options). WL admin actions are only added if the current user has this capability. Additionally, widget_logic_expand_control, widget_logic_options_filter and widget_logic_widget_update_callback also check that the current user has the configured capability; if not, they exit before performing any processing.

Attachments (1)

widget-logic.patch (8.6 KB) - added by outis 4 years ago.
Adds capabilities checks to admin functions of Widget Logic.

Download all attachments as: .zip

Change History (1)

@outis4 years ago

Adds capabilities checks to admin functions of Widget Logic.

Note: See TracTickets for help on using tickets.