Hi all, Apparently there is some disagreement about this issue. I am providing more information to build a greater understanding about what is happening. This problem is entirely contained within the query.php file. At the comment header of query.php it says: "The Big Query." Yes indeed this file produces a large query. This file is very disorganized and it was difficult to go though with a fine tooth comb, but I did and i found a flaw because of it. I was looking for SQL Injection, but broken access control will get me a CVE number. Perhaps this URL provides more information: http://localhost/wordpress/index.php/'wp-admin/ I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables. You will see that wp-admin/ is at the end of these variables. I should have provided the exact point in which the flawed query is being built. I thought that my PoC was enough, my bad. if ( is_admin() ) $where .= " OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'"; This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE. function is_admin () { global $wp_query; return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false)); } In the future you shouldn't attack someone who is trying to help. This is a complex and irregular issue so I totally understand why it was difficult to see. In the future you shouldn't dismiss something you do not understand, instead i urge you to ask questions and learn more. Peace
