Security: Disabled fields can still be edited by clever user
|Reported by:||anonymous||Owned by:||obs|
Though I haven't installed or used your plugin, I was just browsing through the source and it seems that disabled fields are only disabled superficially. In other words, only by adding a disabled attribute to the HTML tag.
A clever user could still submit a new value for the disabled field in the HTTP POST data and change its value. This is a security flaw that is particularly important for projects with anonymous contributors (such as this one :-)).
- Aamer Abbas