Title: Security issue Last modified: August 31, 2016 --- # Security issue * Resolved [abooster](https://wordpress.org/support/users/abooster/) * (@abooster) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/) * I like this plugin but there is a serious security issue. That has to do with the idiotic “insert link” dialog that BuddyPress presents to the user. While that dialog is very helpful for a blogger who administers his own blog, it is** downright malicious and poses a serious security threat** to allow random subscribers to see a list of ALL internal web pages including private/secret pages such as thank-you pages that are presented to the user only after a successful payment has been verified. * So, while it is not your fault by any means, you could easily fix the issue. Here’s an idea I found in my research on how to fix it: [http://wordpress.stackexchange.com/questions/212911/how-do-i-remove-or-disable-or-link-to-existing-content-in-insert-link-dialog](http://wordpress.stackexchange.com/questions/212911/how-do-i-remove-or-disable-or-link-to-existing-content-in-insert-link-dialog) * [https://wordpress.org/plugins/buddypress-docs/](https://wordpress.org/plugins/buddypress-docs/) Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Author [Boone Gorges](https://wordpress.org/support/users/boonebgorges/) * (@boonebgorges) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420533) * Hi abooster – * Thanks for the post. * I’m not able to reproduce your issue. As a regular user (Subscriber level), neither private pages nor drafts appear in the Link autocomplete dialog. In fact, in my tests, private pages don’t even appear for the site administrator. The AJAX callback that powers the dialog specifically excludes non-public items: [https://core.trac.wordpress.org/browser/tags/4.5.2/src/wp-includes/class-wp-editor.php?marks=1325#L1307](https://core.trac.wordpress.org/browser/tags/4.5.2/src/wp-includes/class-wp-editor.php?marks=1325#L1307) * My guess is that you are using a third-party plugin to make certain pages “private/ secret … after a successful payment has been verified”. If this is the case, then that plugin ought to be responsible for ensuring that the pages cannot be accessed in other parts of the interface. The ‘wp_link_query_args’ filter can be used to add exclusions. (BuddyPress Docs itself has global protection that prevents off-limits Docs from appearing in *any* listing, including the link dialog.) * Removing the internal link dialog doesn’t seem like a good solution, as it’s a useful piece of functionality that plays an important role in many people’s workflow. You are, of course, welcome to remove it on your own site. (Use `if( bp_docs_is_doc_edit() ) { ... }` to limit the disabling to the Docs editing interface. * It’s worth noting that this behavior has nothing to do with BuddyPress. The link dialog is default WordPress functionality, and BuddyPress Docs uses WP’s editor. Blame either WordPress or Docs, if you must, but BuddyPress is innocent 🙂 * Thread Starter [abooster](https://wordpress.org/support/users/abooster/) * (@abooster) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420549) * Well, it seems you misunderstood something here… I never said that those pages are set to private. They are and must be set to *public* because even ordinary website visitors must be able to see the content on those pages BUT ONLY WHEN I SHOW IT TO THEM. * So, those pages need to stay hidden the same way they are hidden from search engines (i.e. search engines are prohibited from indexing/crawling those pages) but in terms of the internal WP settings those pages need to stay “public”. * Do you understand now what I mean? The internal WordPress setting for those pages cannot be set to private. In settings the pages must remain “public”. * But just because I set a particular page’s settings to “public” doesn’t mean I want any random user to browse those “public” but HIDDEN pages. * There are many different scenarios where such situation can occur and I have at least 2-3 such scenarios in my case here. * Just because a page exists and it’s internally set to “public” doesn’t mean I would want users to randomly browse those pages. They MUST remain hidden and the users must not be able to access those pages through the link insert dialog. But that’s exactly what happens when a subscriber level user tries to insert a link. * And yes, as I said in the previous post, I understand that this behavior of the insert link dialog is NOT your plugin’s fault. And while I perfectly understand that this behavior is a core WordPress functionality **it is indeed a fault of the BuddyPress developers** because it is gross negligence on their part that they haven’t blocked BuddyPress from using that functionality! * That functionality is very helpful in WordPress. But BuddyPress and bbPress MUST be prevented/excluded from using that functionality! * **Removing the internal link dialog for non-admin BuddyPress and bbPress users is \*absolutely necessary\* for security and privacy reasons!** Absolutely necessary! Because doing otherwise borders on gross negligence in regards to security and privacy. * So, I’m still hoping that you implement at least an option to remove that perilous“ insert link” dialog. Because it could take many months or years until the coders of the BuddyPress core realize that they are committing gross negligence here by knowingly leaving this security/privacy hole wide open. (if I could code, I would have done it a long time ago) * Plugin Author [David Cavins](https://wordpress.org/support/users/dcavins/) * (@dcavins) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420552) * You can change what is shown in WordPress’s link dialog using something like this (which excludes BP Docs from being included in the list): * ``` add_filter( 'wp_link_query_args', 'my_filter_wp_link_query_args' ); function my_filter_wp_link_query_args( $query ) { $query['post_type'] = array_diff( $query['post_type'], array('bp_doc') ); return $query; } ``` * Thread Starter [abooster](https://wordpress.org/support/users/abooster/) * (@abooster) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420553) * Great! And where do I put this in? * Plugin Author [David Cavins](https://wordpress.org/support/users/dcavins/) * (@dcavins) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420555) * Your theme’s `functions.php` file would be fine. * Thread Starter [abooster](https://wordpress.org/support/users/abooster/) * (@abooster) * [10 years ago](https://wordpress.org/support/topic/security-issue-67/#post-7420556) * Hmm… I just tried that but it has no effect whatsoever. The page suggestions still appear in the “insert link” dialog as if nothing happened. * Suggestions? * Plugin Author [David Cavins](https://wordpress.org/support/users/dcavins/) * (@dcavins) * [9 years, 12 months ago](https://wordpress.org/support/topic/security-issue-67/#post-7420571) * That exact snippet works as expected for me. Make sure you’ve added it as provided in the `functions.php` (before any closing php tags–they look like `?>`) of your active theme. Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Security issue’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/buddypress-docs.svg) * [BuddyPress Docs](https://wordpress.org/plugins/buddypress-docs/) * [Support Threads](https://wordpress.org/support/plugin/buddypress-docs/) * [Active Topics](https://wordpress.org/support/plugin/buddypress-docs/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/buddypress-docs/unresolved/) * [Reviews](https://wordpress.org/support/plugin/buddypress-docs/reviews/) * 7 replies * 3 participants * Last reply from: [David Cavins](https://wordpress.org/support/users/dcavins/) * Last activity: [9 years, 12 months ago](https://wordpress.org/support/topic/security-issue-67/#post-7420571) * Status: resolved