[wp-trac] [WordPress Trac] #43308: Alter behavior load-scripts.php and load-styles.php to reduce potentially adverse scenarios

WordPress Trac noreply at wordpress.org
Tue Feb 28 19:14:18 UTC 2023


#43308: Alter behavior load-scripts.php and load-styles.php to reduce potentially
adverse scenarios
---------------------------+---------------------
 Reporter:  youngcp        |       Owner:  (none)
     Type:  enhancement    |      Status:  closed
 Priority:  normal         |   Milestone:  5.0
Component:  Script Loader  |     Version:  4.9.4
 Severity:  normal         |  Resolution:  fixed
 Keywords:  has-patch      |     Focuses:
---------------------------+---------------------

Comment (by dgilfillan):

 Hi, I'm hoping one of you might be able to help. I realise this ticket is
 marked as closed and suggests the CVE-2018-6389 exploit has been patched.
 But in the latest WordPress v6.1.1 its still seems an unauthenticated user
 can make a request to /wp-admin/load-scripts.php and pull a concataned
 file full of js scripts?

 If it has been fixed, would someone be able to give me a plain english run
 down of how the exploit is now prevented?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43308#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list