WordPress has a lot of default global variables. One of them is $current_user. It has clear meaning – current user – the user who is in session on your website(it doesn’t matter he/she is logged in or not)

So developer who doesn’t know about this global variable might easily create such variable. As one time i did. I was coding fast and needed to get user by url slug. I wrote such string

$current_user=get_user_by(‘slug’,$anyusernamehere);

Then i continued and finished task. Everything worked perfectly. But sometime later when i tested site in private browser i discovered horroble vulnerability.

wordpress-bug-300x276

When i get user by slug i give this data to $current_user variable(which i think i created first, but actually it is wordpress global variable) and boom, session gained $anyusernamehere user access. Without knowing his/her password.

So after that vulnerability i always choose variable names for my local variables attentively. Just use different names from global variables 🙂

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

required