[wp-trac] [WordPress Trac] #28424: XML-RPC endpoint doesn't enforce the admin scheme

WordPress Trac noreply at wordpress.org
Sun Jun 1 12:53:54 UTC 2014

#28424: XML-RPC endpoint doesn't enforce the admin scheme
 Reporter:  johnbillion     |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  XML-RPC         |    Version:
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
 Scenario: a site where the admin area is served over SSL via
 `FORCE_SSL_ADMIN` and the front end is served over HTTP.

 Calling `example.com/xmlrpc.php?rsd` lists the available endpoints and
 correctly uses the admin scheme. However, the scheme isn't enforced, and
 you can still POST to these endpoints over HTTP.

 IMO if `FORCE_SSL_ADMIN` is set, the XML-RPC endpoint should be forced
 over SSL. HTTP requests should be blocked outright with a relevant error

 A situation where this could be an issue is where a site's admin area was
 previously served over HTTP but switched to HTTPS. A client app (eg. one
 of the mobile apps) may still be using the HTTP endpoint and therefore
 avoiding `FORCE_SSL_ADMIN`.

Ticket URL: <https://core.trac.wordpress.org/ticket/28424>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list