Seguridad WordPress

WordPress Post Metadata Security: Choosing proper post meta key names for your plugins or themes

From now on, I will write some posts in English to reach a wider audience, when I consider it necessary. My apologies if you are not interested at all --- hopefully the people who read our feed will not be bothered. Spanish translations will be published, but that will depend on how much time I have.

That being said, the latest security release of WordPress introduced one important change that, maybe, every plugin or theme developer should be aware of. Since the release announcement does not explain in detail the security fixes, I will describe briefly this change.

Back in 2007, I published an advisory concerning the post metadata. It allowed unauthorized users to upload and run php code. The WordPress core team fixed the issue by protecting them from being manipulated by the user. Over the years, new internal metadata items were added and the protection done by the previous fix, was no longer up to date.

The WordPress 3.1.3 version introduced two new functions called is_protected_meta and sanitize_meta. They are used to protect all internal meta values from being changed via non standard methods. As you may already know, WordPress uses keys that begin with an underscore. So, if you are using custom meta values, consider prefixing it with an underscore to use the protection provided by the core, and also sanitize the data before saving and escape before sending data to the browser. Otherwise, even if you validate and sanitize the user input when saving them, you may run into problems by assuming that you have safe data coming from the database. These values can be modified using for example admin-ajax.php.