For some context how you MIGHT actually “fix” the true security concern in this code:
$allowed_callbacks = ['some_function', 'another_function']; // Example of allowed functions
if ( in_array($original_cb, $allowed_callbacks, true) && is_callable($original_cb) ) {
$return = call_user_func($original_cb, $post);
} else {
// Log or handle invalid callbacks safely
$return = false;
}
Tampering with global variables or else is NOT a fix, and this one in particular is like pointing out a crumb on the child’s mouth and grounding it for not brushing its teeth.
You could apply a filter to allow filtering the allowed callbacks, if you really want to allow more than the hardcoded whitelist.
In the end it still boils down to “do not use user callbacks” as the better security fix, which again shows how “they” didn’t fix a thing here. This is a blatant excuse for legal CYA.
Tampering with global variables or else is NOT a fix, and this one in particular is like pointing out a crumb on the child’s mouth and grounding it for not brushing its teeth.
You could apply a filter to allow filtering the allowed callbacks, if you really want to allow more than the hardcoded whitelist.
In the end it still boils down to “do not use user callbacks” as the better security fix, which again shows how “they” didn’t fix a thing here. This is a blatant excuse for legal CYA.