This topic contains 4 replies, has 2 voices, and was last updated by 
Anh Tran 2 months, 3 weeks ago.
-
Topic
-
Hello,
I use mb user profile on one of my site, which is supposed to be a front end form for user profile editing, “front end” , meaning “wild and dangerous” …
and discovered that you do not verify if the current user submitting the form has the same id as in your hidden input ‘user_id’.
So if you simply change the value of hidden input name rwmb_form_config[user_id] with any other id, it saves the meta values on this other user id without a blink … that is a big big one! you should not at all send this user_id and use it to save the form… i could change the password of another user just by changing user_id to his id…i am very found of your plugins and use them since many years, but i must say, you need to improve your security measures on the front end ones…
-
Replies
-
Hi Virgile, thanks a lot for your feedback. I’ll check and fix the plugin asap!
To be honest, security is not my strength and I’m still improving it. Thanks for your help!
security is hard to guarantee, specially on wordpress’s front end… the main rule to have in mind would be “never trust data coming from the front end”.
about, resolving the issue, do you think that if i compare $config[‘user_id’] with wp_get_current_user() ‘ s ID inside your “rwmb_profile_validate” filter and return false if they don’t match would do the trick ?
Fixed in the version 1.3.0. I see that we don’t need the
user_idparameter at all, since the form is only for the current user.FYI: the latest version brings back this parameter to the shortcode while not revealing it in the HTML.
You must be logged in to reply to this topic.