Require manage_options to add a custom status#940
Merged
GaryJones merged 1 commit intoApr 23, 2026
Conversation
The handle_add_custom_status admin handler verified the nonce but did not re-check the user's capability, leaving the action relying solely on the admin page's render-time cap check. A user with a valid nonce (e.g. a lower-privileged contributor who obtains one via XSS or a shared form) could therefore create custom statuses. Layering an explicit manage_options check restores defence in depth and matches the pattern used elsewhere in the module.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EF_Custom_Status::handle_add_custom_status()verified the form's nonce but did not re-check the user's capability, leaving the action relying on the surrounding admin page's render-time cap check. That is fragile as defence in depth: a user who obtains a validcustom-status-add-nonce(for example through an XSS chain, a shared clipboard, or a leaked form) could submit the handler directly and have a status created on their behalf, even if they lackmanage_options.This change adds an explicit
current_user_can( 'manage_options' )check immediately after the nonce is verified, mirroring the pattern already used by the migrate, edit, and delete handlers in the same class. New integration tests cover both directions: a subscriber with a valid nonce hitswp_die, and an administrator can still complete the flow end-to-end.Test plan
composer test— the two new tests inCustomStatusAddHandlerTestpass