sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Shiny Updates: Add capability checks to the ajax callbacks, to ensure the current user is allowed to install/update plugins.

Browse Source 
See #29820



git-svn-id: https://develop.svn.wordpress.org/trunk@31334 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Gary Pendergast 2015-02-05 06:04:32 +00:00
parent 748d595b5c
commit d0379f4fb7
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wp-admin/includes/ajax-actions.php
View File

@ -2835,6 +2835,10 @@ function wp_ajax_destroy_sessions() {
* @since 4.2.0
*/
function wp_ajax_install_plugin() {
if ( ! current_user_can( 'install_plugins' ) ) {
wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
}
check_ajax_referer( 'updates' );
include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );
@ -2875,6 +2879,10 @@ function wp_ajax_install_plugin() {
* @since 4.2.0
*/
function wp_ajax_update_plugin() {
if ( ! current_user_can( 'update_plugins' ) ) {
wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
}
check_ajax_referer( 'updates' );
include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );