[Genbox]

For those reviewing the changeset: There are two places where they read a value directly from $POST into an $args array. There is no validation applied, which means an attacker can inject whatever value they wish.

[talkin]

And 2 problems jn the fix:

- It’s a specific symptom fix: The same problem could occur with $_COOKIE or $_REQUEST always being available

- The cleanup is not done in a finally{}, so random missing vars when an exception occurs.

Exec summary: Horrible code as always in WP.

[sschueller]

In 2024, wtf. How can anyone especially on software with this kind of reach still do such absolute amateur things?

[echoangle]

I can't speak for WP Engine devs specifically but for Wordpress customization developers, the ones I've worked with were just absolute amateurs. The people doing this are mostly untrained people hacking together stuff layer upon layer until it kind of worked. Don't even ask about using version control. I don't want to say this applies to every Webdev but it attracts a group of people that aren't too much into IT but want to quickly learn programming to have a job.

[criley2]

> want free software to run website

> want free plugins to add functionality to site

> absolutely will not hire developers or pay for software or plugins

> how dare the free plugin for my free software not be coded to the highest standards

[luckylion]

That code is identical to the commercial version ACF Pro which currently costs $49/yr for a single website.