[wp-trac] [WordPress Trac] #59109: Massive security flaw, please see sense.

WordPress Trac noreply at wordpress.org
Tue Aug 15 13:32:51 UTC 2023 

#59109: Massive security flaw, please see sense.
--------------------------+-------------------------------
 Reporter:  tspnet        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  6.3
 Severity:  critical      |   Keywords:  reporter-feedback
  Focuses:                |
--------------------------+-------------------------------
 Honestly someone needs to see the sense in this. I'm pretty confident if
 you petitioned the worldwide wordpress community everyone would want this
 fixed regardless of it being self hosted or wordpress.com this is a flaw
 in the current wordpress.

 I have given you the email to describe the issue it explains fully. This
 flaw needs to be fixed.

 (13:14:10) James: Regardless of whether it's open source or not WordPress
 needs to be secure
 (13:14:23) James: People. Business, even enterprise use your product
 (13:14:59) James: There must be a way for WordPress to prevent any plugin
 from creating a admin account surely?
 (13:15:21) James: And only allow WordPress admin to do it
 (13:15:46) James: That would eliminate the flaw
 (13:15:54) James: And actually make it secure
 (13:16:57) James: I don't get how all these minds working on wordpress
 don't get this is important
 (13:17:55) Happiness Engineer: Part of the open source spirit is that
 everything is open and available to change for everybody.

 After downloading the software you can do with it whatever you want, this
 is what's also appealing for a lot of developers and users.
 (13:18:19) James: What you basically telling me is this flaw is OK because
 wordpress is open source? It's not OK?
 (13:18:28) Happiness Engineer: Suggestions to improve the software can be
 made using a tool called Trac
 https://core.trac.wordpress.org/
 (13:19:46) James: Can you send this email to me please
 (13:19:54) James: I will post this message there
 (13:20:13) Happiness Engineer: You will receive a transcript of this
 conversation after we close i.
 (13:20:25) James: OK thanks let's close it
 (13:23:41) Happiness Engineer: Ok, no problem.
 Feel free to pop back in if there is anything else we can help you with.

 Conclusion...

 Honestly think of this from a critical point of view, this is a Flaw, that
 should be able to be fixed so that Plugins cannot make admin accounts and
 only Admin can make admin accounts.

 I'm not a coder, and I do not have the foggiest how this would be done,
 but I hope it can be done, because if you surveyed everyone who uses
 wordpress I think everyone would feel safer with this implemented.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/59109>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list