[wp-meta] [Making WordPress.org] #7960: Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php
Making WordPress.org
noreply at wordpress.org
Mon Apr 21 14:31:18 UTC 2025
#7960: Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-
admin/about.php
----------------------------+--------------------
Reporter: kimjiwoon | Owner: (none)
Type: defect (bug) | Status: new
Priority: low | Milestone:
Component: Support Forums | Keywords:
----------------------------+--------------------
**Rosetta Sites and WordPress.org Sub-sites: Access Behavior of `/wp-
admin/about.php`**
**Author**: Jiwoon Kim (Meta Translation Editor, Korean Locale)
**Date Reported**: April 21, 2025
**Priority**: Low (Not a security issue)
**Scope**: Various Rosetta sites and related WordPress.org sub-sites
I am a Meta Translation Editor (PTE) for the Korean WordPress team. With
PTE permissions, I can access the backend at `https://ko.wordpress.org/wp-
admin/`. However, I discovered several cases where `/wp-admin/about.php`
is accessible even without proper permissions. While this does not seem to
be a security issue, I am reporting it here for documentation and
potential review.
---
### Korean Rosetta Site (`/team/`, `/support/`)
Since `https://ko.wordpress.org/wp-admin/index.php` is accessible, it's
understandable that
`https://ko.wordpress.org/wp-admin/about.php` is also accessible.
- Accessing `https://ko.wordpress.org/team/wp-admin/about.php` redirects
to the user profile at
`https://profiles.wordpress.org/kimjiwoon/`.
- Attempting to access `https://ko.wordpress.org/support/wp-admin/` shows
the error:
> "You tried to access the 'Korean Support' dashboard, but you do not
currently have access to this site. If you believe you should be able to
access the 'Korean Support' dashboard, please contact the network
administrator."
However, `https://ko.wordpress.org/support/wp-admin/about.php` is
accessible without permissions.
---
### Japanese Rosetta Site
- Accessing `https://ja.wordpress.org/wp-admin/about.php` redirects to
`https://profiles.wordpress.org/kimjiwoon/`.
- `https://ja.wordpress.org/support/wp-admin/about.php` is accessible
without permissions.
---
### WordPress.org Forums
- Accessing `https://wordpress.org/support/wp-admin/` returns the
following error:
> "You tried to access the 'WordPress.org Forums' dashboard, but you do
not currently have access to this site. If you believe you should be able
to access the 'WordPress.org Forums' dashboard, please contact the network
administrator."
However, `https://wordpress.org/support/wp-admin/about.php` is
accessible.
---
### bbPress.org
- `https://bbpress.org/wp-admin/` shows:
> "Sorry, you are not allowed to access this page."
However, `https://bbpress.org/wp-admin/about.php` is accessible
(displayed in English even if the site language is Korean).
---
### BuddyPress.org
- Accessing `https://buddypress.org/wp-admin/about.php` redirects to the
site front page
`https://buddypress.org/`.
---
### GPT Analysis
`about.php` is a core admin file in WordPress, typically gated behind
login and capability checks like `wp-admin/index.php`. On multisite
installations, if sub-sites are not fully configured or capability checks
are not enforced for specific files, access to `/about.php` may be
inadvertently allowed.
The `about.php` file primarily contains read-only release notes and update
information (e.g. “What’s New”), and is intended to be informational
rather than administrative — hence, it's likely that explicit access
restrictions were not enforced on purpose.
Some sub-sites, even within a multisite environment, do not redirect
properly or display profile pages instead of denying access.
---
🧩 **What does this suggest?**
There appears to be a consistent pattern where the `about.php` file is
accessible *only* on sites based on bbPress, which is not expected
behavior.
In a typical WordPress Multisite setup, accessing `wp-admin/about.php` on
a subsite should be restricted by user capabilities. However, bbPress may
be bypassing or missing this permission check.
The fact that `about.php` is also accessible on **bbPress.org** itself
suggests a possible omission or inconsistency in how bbPress handles admin
templates or hooks.
---
🛠 **Likely Cause Candidates**
The `about.php` file is a static PHP file located directly under the `/wp-
admin/` directory in WordPress Core. It doesn't include its own capability
check internally.
Normally, access restrictions are handled globally via `admin.php` or
`admin_init` hooks in WordPress. But in bbPress, these checks might be
**missing for specific files** like `about.php`, or **filters may be
malfunctioning before the file is loaded**.
Alternatively, it’s possible that `about.php` was intentionally left open
as a "read-only public info page." Even so, the fact that **only bbPress-
related sites allow access** while others block it raises concerns about
**inconsistency** in permission enforcement.
---
### Security Considerations
This is **not** a security vulnerability. The `about.php` file does not
allow administrative actions or access to sensitive data — it only
displays release information.
However, **unauthenticated access to `/wp-admin/` paths**, even for read-
only pages, could cause UX confusion or indicate a lack of consistent
policy enforcement across the network. If unintended, this behavior might
be worth reviewing and improving.
---
### Additional Observation: Version Display Inconsistency
At the bottom of `/wp-admin/` pages, the WordPress version string
sometimes changes between reloads:
Example:
- Initially: `Version 6.9-alpha-60170`
- After refresh: `Version 6.9-alpha-60172`
This could be due to version metadata being served from different build
caches or CDN nodes, especially within a Trunk development environment.
When servers or caches are not fully synchronized, minor inconsistencies
in version strings can occur.
---
### WordPress.com / Dashboard Access Examples
- `https://wordpress.com/wp-admin/my-sites.php`: Access denied.
- `https://wordpress.com/wp-admin/about.php`: 403 Forbidden.
- `https://wordpress.com/wp-admin/index.php`: Redirects to
`https://wordpress.com/sites`.
---
### dashboard.wordpress.com
- `https://dashboard.wordpress.com/wp-admin/`: Accessible.
- `https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs`:
Accessible.
- `https://dashboard.wordpress.com/wp-admin/about.php`: 403 Forbidden with
message:
> "Lost? Our server sentries tell us you probably shouldn’t be here.
Maybe you’re lost?
> If you’re sure this is the place you’re trying to go, please contact
us and we’ll be happy to help."
---
### Jetpack-Related Subdomains
- `https://jetpackme.wordpress.com/wp-admin/`: Inaccessible.
- `https://koreanjetpack.wordpress.com/wp-admin/`: Inaccessible.
> *User kimjiwoon96 Cannot Access the Dashboard Requested*
> "You are logged in as 'kimjiwoon96' and do not have the necessary
privileges to access the dashboard for 'Jetpack — Essential Security &
Performance for WordPress'. If you are not 'kimjiwoon96', please log out,
and log back in with your username. If you are 'kimjiwoon96' and you need
access, please ask an administrator of the site to invite you."
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7960>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list