Package: wordpress Version: 3.6.1+dfsg-1~deb7u2 Severity: normal Tags: security upstream patch
Hi, Upstream Wordpress 3.8.2 introduced a bug in bulk_edit_posts: https://core.trac.wordpress.org/ticket/27792 It seems to me that cs27976_priv_esc backported the bug into Wordpress 3.6, though I haven't tested in a running WP instance. There was an incomplete fix committed as cs27991, that was reverted and improved by cs28114. Combining these, I ended up with the attached cs28114_bulk_edit_posts Thanks. -- System Information: Debian Release: 7.1 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 9.0-2-amd64-xenhvm Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Index: wordpress-3.6.1+dfsg/wp-admin/includes/post.php =================================================================== --- wordpress-3.6.1+dfsg.orig/wp-admin/includes/post.php 2014-04-17 11:54:34.000000000 +0100 +++ wordpress-3.6.1+dfsg/wp-admin/includes/post.php 2014-04-17 13:36:59.000000000 +0100 @@ -395,7 +395,12 @@ } $updated = $skipped = $locked = array(); + $shared_post_data = $post_data; + foreach ( $post_IDs as $post_ID ) { + // Start with fresh post data with each iteration. + $post_data = $shared_post_data; + $post_type_object = get_post_type_object( get_post_type( $post_ID ) ); if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( 'edit_post', $post_ID ) ) {