[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()
WordPress Trac
noreply at wordpress.org
Wed Dec 7 09:39:27 UTC 2016
#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+-----------------------
Reporter: investici | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution:
Keywords: has-patch | Focuses:
----------------------------+-----------------------
Comment (by toscho):
Note that sending the site URL (user agent and `wp_blog` header) along
with these checks makes every WP installation vulnerable to targeted
malicious updates. It is even possible that that has happened already:
There are gag orders in the US making it impossible for the .org site
admins to deny such a scenario convincingly. So we have a bad situation
for both sides. Reducing the data and offering an opt-in would really
help.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:51>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list