close
Skip to content

Post author can be assigned to Subscribers via DOM manipulation in editor #71299

New issue
New issue
Open
#71300
Open
Post author can be assigned to Subscribers via DOM manipulation in editor#71299
#71300
Assignees
R1shabh-Gupta
Labels
[Status] In ProgressTracking issues with work in progress[Type] BugAn existing feature does not function as intended
@R1shabh-Gupta

Description

@R1shabh-Gupta
R1shabh-Gupta
opened on Aug 21, 2025

Description

Reported in Trac: https://core.trac.wordpress.org/ticket/63856

Security Vulnerability: The Gutenberg editor allows posts to be assigned to Subscribers (users who shouldn't be able to author content) through DOM manipulation in the author dropdown.

Expected behavior: Only users with appropriate capabilities (Administrator, Editor, Contributor) should be assignable as post authors, both in the UI and programmatically.

Current behavior: While the author dropdown correctly displays only valid authors, manually changing the dropdown value via browser developer tools allows assignment of posts to Subscribers, bypassing WordPress role-based permissions.

This is a security issue as it allows unauthorized users to be assigned as content authors.

Step-by-step reproduction instructions

  1. Create a user with 'Subscriber' role (e.g., user ID 4)
  2. Create a user with 'Contributor' role (e.g., user ID 6)
  3. Create or edit a post as an Administrator
  4. In the post editor, go to the Document Settings panel on the right
  5. Open browser Developer Tools
  6. Locate the Author dropdown in the Document Settings
  7. Inspect the <select> element for the author dropdown
  8. Manually change the value attribute of Contributor to the Subscriber's user ID (e.g., value="4")
  9. Save/update the post
  10. Verify that the post is now assigned to the Subscriber user

Result: The post gets successfully assigned to a Subscriber, who should not have authoring capabilities.

Screenshots, screen recording, code snippet

Screen.Recording.2025-08-22.at.1.12.35.AM.mov

Environment info

  • WordPress: 6.9-alpha-60342
  • PHP: 8.2.28
  • Server: Apache/2.4.62 (Debian)
  • Database: mysqli (Server: 11.8.2-MariaDB-ubu2404 / Client: mysqlnd 8.2.28)
  • Browser: Chrome 139.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.2
  • MU Plugins:
    • Gutenberg Test Plugin, Disable Login Autofocus
    • Gutenberg Test Plugin, Disable Remote Patterns
    • Gutenberg Test Plugin, Enable Templates UI
    • Gutenberg Test Plugin, No-cache Headers
    • Gutenberg Test Plugin, Normalize Theme
    • server-timing.php
  • Plugins:
    • Gutenberg 21.5.0-rc.1
    • Test Reports 1.2.0

Please confirm that you have searched existing issues in the repo.

  • Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

  • Yes

Please confirm which theme type you used for testing.

  • Block
  • Classic
  • Hybrid (e.g. classic with theme.json)
  • Not sure

Metadata

Metadata

Assignees

Labels

[Status] In ProgressTracking issues with work in progress[Type] BugAn existing feature does not function as intended

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions