[wp-trac] [WordPress Trac] #36779: Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-includes

WordPress Trac noreply at wordpress.org
Fri May 6 18:26:47 UTC 2016


#36779: Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-
includes
---------------------------+-----------------------------
 Reporter:  SaulNunez      |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Script Loader  |    Version:  4.4.2
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 Basically these files are inside /wp-admin directory, but you can hit them
 and get an output without being authenticated,

 examples:
 http://somedomain.usingwp.com/wp-admin/load-
 scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,svg-
 painter,heartbeat,wp-auth-check&ver=4.4.2
 http://somedomain.usingwp.com/wp-admin/load-
 styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-
 check&ver=4.4.2

 If these scripts are for use inside admin, why authentication isn't
 required?,
 if these scripts are for general use on the admin, themes, etc, why these
 aren't on wp-includes?

 This was pointed to me on a security scan, and apart from that if the idea
 is general use for this, I think hosting these on /wp-admin is misleading.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36779>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list