CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

Published
2016-11-28 21:18
Written by

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions

 

  • 4.7.13
  • 4.6.23
Fixed Versions
  • 4.7.14
  • 4.6.24
Solutions

Upgrade to the latest CiviCRM release.

If you cannot upgrade to the latest CiviCRM version apply the patch here https://github.com/civicrm/civicrm-core/pull/8707

Credits

Brian Shaughnessy for reporting the issue and providing a fix

References