security hole in wordpress-admin-bar under WPMU?

I just tried logging into using a test user account, and was surprised to see a strange item in the admin bar at the top of the page:


I was curious, so I clicked it.


mwah? Those are site-admin items, being displayed to a non-admin user. I was actually able to click the "Admin Message" item to set that, even though the logged in user wasn't an admin. Scary. Luckily, nobody's noticed the extra menu yet - or if they have, they've behaved.

I poked around in the wordpress-admin-bar.php file to see if I could plug the hole. I have no idea if this is the right way, but I've added this bit:

} else {
    if ($menu[0]['title'] === null)  continue; // this is the line I added
    echo '                  
comments powered by Disqus
Last updated: September 16, 2023