// Plugins security – extend, not erode!

WordPress attachment api functions and any post type

Core had put some efforts in order to prevent accessing attachment post type functions from another post types. Usually checks are done by calling get_post and comparing the post type with attachment, but that is selective and only in hand picked places. It is that way because performances mainly, so many functions are lacking this checks. Eli5 PoC One of …

WordPress attachment api functions and any post type Read More »

WordPress and multiple maybe_unserialize

WordPress introduced maybe_unserialize and maybe_serialize as security functions in the past and they are deeply integrated in the core. Usually for backward compatibility or improper usage in the past, many software vendors are using multiple maybe_unserialize towards values that could be planted into DB with lower number of maybe_serializecalls. Eli5 PoC and if you think that this code isn’t existing then …

WordPress and multiple maybe_unserialize Read More »