[Plugin: WP Security Scan] Bug: Database Security – database.php

  • Bug 1. Function where wp-config.php gets changed.
    Function will replace <b>all</b> instances of $GLOBALS[‘table_prefix’], even if value it is replacing is not $table_prefix = ‘foobar’;
    e.g. New prefix: “foo”. If the username is <i>define(‘DB_USER’, ‘wp_’);</i> (happens to be <i>wp_</i>), the username will also be changed to “foo”.
    (Line 141 of database.php)
    Suggestion: make criteria for <i>str_replace</i> include: <i>$table_prefix = ‘</i> and <i>’;</i> like:
    $table_prefix = ‘kwapc_’;
    $line = str_replace(“$table_prefix = ‘”.$GLOBALS[‘table_prefix’].”‘;”, “$table_prefix = ‘”.$newpref.”‘;”, $line);

    Bug 2. MySQL: Table wp_usermeta’s whose meta_key value == “wp_capabilities” and “wp_metaboxorder_dashboard” do not get changed into the new prefix values.
    This causes WordPress to output errors like “You do not have sufficient permissions to access this page.”, especially in administration pages.

Viewing 1 replies (of 1 total)
  • erigami

    (@erigami)

    Uh, can you explain a little bit more about Bug 2? I maintain a plugin that is apparently causing its users problems with a “You do not have sufficient permissions to access this page.” message. One of my users pointed me here and I’m curious what the implications of #2 are.

    Thanks,
    e

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: WP Security Scan] Bug: Database Security – database.php’ is closed to new replies.