WordPress has a lot of default global variables. One of them is $current_user. It has clear meaning – current user – the user who is in session on your website(it doesn’t matter he/she is logged in or not)
So developer who doesn’t know about this global variable might easily create such variable. As one time i did. I was coding fast and needed to get user by url slug. I wrote such string
Then i continued and finished task. Everything worked perfectly. But sometime later when i tested site in private browser i discovered horroble vulnerability.
When i get user by slug i give this data to $current_user variable(which i think i created first, but actually it is wordpress global variable) and boom, session gained $anyusernamehere user access. Without knowing his/her password.
So after that vulnerability i always choose variable names for my local variables attentively. Just use different names from global variables 🙂
You must log in to post a comment.