WordPress: The Case of the 404ing Permalinks

Published by John on September 21, 2015 Under Wordpress

Alternate Title: How to 404 Any Page on Your WordPress Site.

I came across an interesting bug(feature) while working on a wordpress site that allows you to make any page on your site show a 404, even though the page exists.

While creating a form, it was necessary to pass some hidden values for the page id, category id, and a few other values, so that the thanks page could display a custom message. However, upon submitting the form, the thanks page showed a 404. Visiting the page directly worked and showed without issue, but any form submission showed the default WordPress 404 template.

The Problem

After a bit of head scratching, I found that it was because I was using the post variable page_id as part of the form.

As you may know, even if you are using nice looking permalinks, wordpress will still let you goto any page or post on your site by using it’s ID. For instance, both ‘?p=594’ and ‘page_id=594’ take you to my website design page, like so: Using a Shortlink.

You can see these in the header of your site(unless you have removed it) as the shortlink variable.

An Example

I’ve created an example, by setting up a test page. If you visit the page directly, you will see some quick text: See Example.

However, the following form will show a 404 error, even though it is the same page:

What is Happening?

The above form uses a hidden ‘p’ variable, but would also work if you used ‘page_id’ instead. In this case, WordPress sees this variable and even though the permalink is to an actual page, it gives the page_id precedence and the result is the page shows as a 404.

The Form

<form action='/test-page/' method='POST'>
<input type='hidden' value='123' name='p' />
<input type='submit' value='Form Example'/>
</form>

The Fix and Security Implications

The simple fix is, as the doctor says, if it hurts when you do that, DON’T DO THAT! So, if you are making a form that sends data to a wordpress site, don’t use p or page_id as a variable unless you are wanting to use wordpress’s built-in functionality.

Other than being annoying, I’m not sure there is a direct threat as a result of this issue. This appears to only work if you POST the values and if you add a GET request to the end of the url, like /test-page/?p=123 wordpress correctly redirects to the page.

However, it is possible to use the above to send visitors to a third-party site and make what is normally a valid page, show a 404. So, I could see it as potentially causing problems with(or at least not being ideal) for your site’s SEO. There could also potentially be some value in being able to link to a real site, but not showing that site’s content. Which is to say, if a malicious person wanted to add authority, they could link to a page on a site, but the person would not be able to read it.

No Comments |