[wp-trac] [WordPress Trac] #3901: Version Database updater displays to any user, not just administrators

WordPress Trac noreply at wordpress.org
Thu Mar 16 07:49:39 UTC 2023 

#3901: Version Database updater displays to any user, not just administrators
----------------------------+----------------------
 Reporter:  bradkovach      |       Owner:  (none)
     Type:  defect (bug)    |      Status:  closed
 Priority:  high            |   Milestone:
Component:  Administration  |     Version:  2.1.1
 Severity:  normal          |  Resolution:  wontfix
 Keywords:  needs-patch     |     Focuses:
----------------------------+----------------------

Comment (by bartj):

 As similar tickets are marked as duplicate, I'd decided to post my comment
 with ask to reconsider the issue here, but on different basis than argued
 in this ticket.

 I don't think it's essentially a potentially simultaneous upgrade problem,
 but rather something what may be perceived as vulnerability, especially
 when reckoning WordPress as a secure and user-friendly platform.

 The reasoning behind hiding this screen from regular visitors should be to
 never allow any unauthenticated action when considering administrative
 tasks. As a website owner, I rightfully might demand to have control over
 my environment and database update should be considered as one of such
 (sensitive) tasks.

 Even though unauthenticated execution wouldn't bring any malicious
 effects, and it's rather unlikely that simultaneous upgrades would break a
 website, the very thought that any unknown actor could do something on my
 website is a quite thrilling perspective.

 Previously (https://core.trac.wordpress.org/ticket/34200#comment:7), it's
 been argued that upgrade screen may be `curl`'ed, thus authentication
 could introduce unnecessary burden, but such reasoning is deniable. Having
 at least *Basic* authentication header sent would easily adopt a more
 secure (at least perceived as secure) solution.

 Although not entirely in line with my beliefs about the case, I think
 @bamadesigner's comment from another ticket
 (https://core.trac.wordpress.org/ticket/34200#comment:12) grasps the very
 root issue of deciding against not-hiding/having at all the upgrade
 screen.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/3901#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list