Plugin can be bypassed with uppercase letters

  • Resolved emmess

    (@emmess)


    3 years, 3 months ago

    Hello,

    thank you for this nice little plugin.
    However there might be a small bug at the moment, which makes it possible to enumerate users while the plugin is active. When changing a letter case in the query parameter the regex doesn’t work anymore and therefor doesn’t prevent the output.

    Used url: example.org/?rest_route=/wp/v2/usErs/

    have a nice day

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Alan Fuller

    (@alanfuller)

    Changing the regex to ignore case should work

    i.e.

    preg_match( '/users/i'

    If you would like to test that I’ll incorporate into a release.

    Plugin Author Alan Fuller

    (@alanfuller)

    Fixed in 1.3.32

    Thread Starter emmess

    (@emmess)

    That was fast and worked.

    thank you

    Putting the above information into the changelog would be nice. There was no text notice in both 1.3.31 and 1.3.32

    Plugin Author Alan Fuller

    (@alanfuller)

    Alway best to start your own support request, rather than jumping on, as things can get missed in a resolved thread.

    The change notes were accidentally in the upgrade section, not change log section. Corrected now. Thanks for pointing out an issue.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Plugin can be bypassed with uppercase letters’ is closed to new replies.