add_submenu_page hooked function must explicitly check user capabilities – why?

Blame brings us to #12101, where @westi said this:

We also need to hilight that functions should check the capability as well and we ask for it to enforce visibility.

The commit, [12914], was part of 3.0. I thought that maybe the restriction on loading the function at all was only added later, but it was apparently added in 1.5.

My guess is, that maybe @westi didn’t remember this at the time he wrote the docs. That is why they seem to indicate that the capability provided will only be used “to determine whether or not a page is included in the menu.”

In addition, WordPress has a pattern of each admin page’s code being placed in a separate file. This allows the code to be run by accessing the file directly, which means that proper capability checks are particularly important.

Aside from this, there are no issues that could arise from not checking the capability that I can think of. It is still probably a good idea, just in case (should the function ever be called in a different context). This would prevent it from being utilized via an exploit of other code that had an arbitrary function execution vulnerability, for example.

Related Posts:

  1. How to store username and password to API in wordpress option DB?
  2. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  3. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  4. Nonces can be reused multiple times? Bug / Security issue?
  5. Can someone explain what wp_session_tokens are, and what are they used for?
  6. WordPress and PHP Sessions – Security and Performance
  7. What is the difference between esc_html and wp_filter_nohtml_kses?
  8. Nonce in settings API with tabbed navigation
  9. Log in from one wordpress website to another wordpress website
  10. Escaping built-in WP function return strings
  11. What is the difference between strip_tags and wp_filter_nohtml_kses?
  12. WP Cron doesn’t save or in post body
  13. WordPress restrict plugin file direct access
  14. Plugin development: is adding empty index.php files necessary?
  15. Confusion on WP Nonce usage in my Plugin
  16. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  17. Correct way check nonce (security) using old Options API
  18. Why do I need to check if wp_nonce_field() exists before using it
  19. Is there any way to check for user login and send him to login?
  20. WordPress security issue to output data from user input from theme option form
  21. Verify if user is wordpress logged in from another app since wordpress 4.0
  22. Secure Pages Best Practice
  23. Securing/Escaping Output of file content – reading via fread() in PHP
  24. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  25. Video Security just like facebook [closed]
  26. Is disabling test_form in wp_handle_upload a security concern?
  27. How to connect my wordpress plugin to a remote database securely?
  28. wp_nonce_field displaying twice
  29. Is it necessary to do validation again when retrieving data from database?
  30. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  31. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  32. Are there any security risks when submitting data-attribute data through AJAX?
  33. Why would you use esc_attr() on internal functions?
  34. Is it possible to use WP-CLI in a plugin (or theme)?
  35. Secruity Questions on a timer
  36. Using HTML links within translatable string
  37. How can I save a password securely as a settings field
  38. Using password protection to load different page elements?
  39. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  40. How to store sensitive user data (passwords)
  41. How do I make secure API calls from my WordPress plugin?
  42. esc_attr() on hard coded string
  43. how to add security questions on wp-registration page and validate it
  44. Experts opinions needed: How (in)secure is this approach?
  45. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  46. Data Validation, dynamically generated fields (select for example)
  47. esc_url, esc_url_raw or sanitize_url?
  48. Objective Best Practices for Plugin Development? [closed]
  49. How can I add an option to the Page Template list from a Plugin?
  50. Build path for a custom portfolio plugin
  51. How to save block attributes when the output doesn’t change
  52. How to: Rest endpoint returning empty object
  53. Ensuring a plugin is loaded/run last?
  54. Scheduled event does not run at midnight
  55. Plugin options table,is the data serialized
  56. Converting theme widgets to plugins?
  57. Sample — test — data for large WordPress install
  58. What is rich_editing?
  59. How Can I setup WP CLI on Windows development machine running AMPPS?
  60. WP_LOCALIZE_SCRIPT doesn’t work
  61. JS / JQuery form validation in backend admin menus
  62. Is using register_activation_hook required?
  63. wp_enqueue_script + wp_enqueue_style Since When
  64. How to send email in wordpress with more than one attachments
  65. Modify users.php page to create page/post on button clicked
  66. Is there an action like ‘after_register_custom_post_type’?
  67. get_current_screen() return null
  68. Frontend language per user
  69. How to get results of subcategories also?(WP Rest Api v2)
  70. How to run a function on plugin’s options page?
  71. What stylesheets are available in core?
  72. dbDelta using Foreign key not working on update [duplicate]
  73. Plugin widget zindex changes depending on theme [closed]
  74. Is there documentation reference for forms in menu and setting pages?
  75. Plugin templates vs Parent Theme
  76. wpdb->prepare and mysql UPDATE – how is it done?
  77. Return Value of load_plugin_textdomain
  78. Multiple array for post_content on plugin activation
  79. Using AND and bracket grouping in SQL not working
  80. Check if the current user is author of first comment
  81. custom wp_editor does not save the content in plugin settings
  82. How do I force a download in the admin area?
  83. add_action wp_ajax_ not loading in plugin file WP Network
  84. Login page too many redirects
  85. Configuring Xdebug with docker compose
  86. Jquery php request is returning a weird result
  87. Get the current post/page URL with plain permalinks
  88. ajax multiple Values
  89. Change Label of custom post type
  90. admin-ajax.php returns “No Script Kiddies!” sometimes
  91. Plugin outputs content of posts unbidden!
  92. Client Profiles
  93. Saving multiple fields as array
  94. Serialized Data
  95. Update custom settings field in plugin
  96. URL rewrite parameter lost (add_rewrite_rule)
  97. PHPUnit Ajax Serialization of ‘Closure’ is not allowed
  98. React Plugin Settings Page Localization
  99. Is it within WordPress guidelines to update another plugin’s database fields from my own plugin? [closed]
  100. Block Development: hamburger module throwing error in save function