WordPress.com security issue

UPDATE (Nov. 22, 2012)
The bug described below has been fixed by WordPress staff in a few hours after this posting. That was fast! 🙂

I am a journalism professor at Université du Québec à Montréal. For a digital journalism course, I set up this WordPress.com blog.

I created two accounts for myself (as illustrated below): one as Administrator (jhroy) and another as Contributor (jeanhuguesroy), in order to experience the WP backend the way my students would, since all students are registered as Contributors too.

jhroy is my admin account jeanhuguesroy is my contributor account

I gave students roles as Contributors because it enables them to submit their posts (their homework) to me while hiding the contents from their peers.

But this week, I was surprised to see some students were able to publish directly to the blog! That’s not supposed to happen! But how did it? Through my Contributor account, I was able to find out.

First, students log in through the WordPress.com website, as I did with my Contributor account:

Then, they write their post:

They click on «Publish Post». Everything’s fine to that point. Their post is submitted to me for review.

They get this message saying (here in French, because we use the French-language version of WP.com) their post is «published». But it is not really. It is still only submitted for review.

But if they’re curious (as most journalism students should be) and want to have a preview of their post, they can click on a blue Preview button (here written as «Afficher l’article»).

And this is where the bug is. By previewing their article, they inadvertantly publish it for everyone else to see!


Now, maybe this has something to do with the internationalized version we’re using. Maybe it’s the theme. I don’t know. But I’d like this hole fixed please. Merci 😉

%d blogueurs aiment ce contenu :