Is Custom Post Fields safe for scripting?

  • Hi, i don’t know exactly what it’s called but when we go to edit post, we can see under Custom Fields, key and values that users can enter.

    My question would be, how much can i trust that these fields can 1. only be seen by me and 2. only be used and modified by me.

    Previously i used shortcodes for parsing any file onto my page. This is a huge security risk, since visitors can simply use my shortcode, and get all files in my system.

    Now i still need this functionality, so i found custom fields and thought, that i could add key “file_parse” and value “path/to/my/file.html” to parse it this way. am i missing a vulnerability again or is this fully safe to do?

Viewing 3 replies - 1 through 3 (of 3 total)

  • There’s not much difference between doing this with custom fields and using a shortcode. If the user has editor access then they can use custom fields to parse any file too.

    One thing I don’t quite understand though is that you mention visitors potentially using your shortcode as a risk. This should only be a problem if those visitors have access to edit content on the website. Is that something that’s happening in your website?

    Thread Starter kingkonglauncher

    (@kingkonglauncher)

    The only user that can edit post is myself aka the admin. I have some weird setup where users can indeed inject not code but text to the backend(and incase i have missed something which is very possible then i could accidentally perform do_shortcode on the page which contains user code). Which means that they can potentially trigger shortcodes.

    So i simplified the strategy by avoiding all sorts of functional/powerful shortcodes and instead only use shortcodes for displaying simple html etc…

    So from my understanding of your writing, as long as i make sure that user roles dont have access to edit posts, we should be safe?

    Moderator bcworkz

    (@bcworkz)

    Security is multi-faceted and dependent on the implementation. It’s all for naught if a user has more privilege than necessary (insider attack). Themes and plugins in the WP repository have been reviewed by knowledgeable volunteers and is some assurance of secure implementation. It’s still possible for vulnerabilities to slip through, it’s not a guarantee of absolute security. Software from other sources is buyer beware.

    Proper security measures are discussed at
    https://developer.www.ads-software.com/plugins/security/

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is Custom Post Fields safe for scripting?’ is closed to new replies.