[wp-trac] [WordPress Trac] #27331: WordPress Login Page Security Issue
WordPress Trac
noreply at wordpress.org
Sun Mar 9 10:04:34 UTC 2014
#27331: WordPress Login Page Security Issue
----------------------------+-----------------------------
Reporter: hardeepasrani | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
I don't know whether it's a bug or there's a reason behind this, but I
found it a security issue.
== The Issue ==
If you're logged into your self-hosted WordPress website as an admin or
any role, you will still see the login page & you can login again to any
account.
I think if a user is already logged in then he should be redirected back
to the admin panel (or any other page), but the login page.
== Why it's an issue ==
Just suppose a user is using his WP site (as admin) on a public computer,
then he somehow gets to login page (by clicking on the link) & sees that
he is already logged out (even when he's logged in) because he can see the
login page. So, now he thinks that he's been logged out, but he is still
logged in.
So, I think a logged in user should either redirected back to admin panel
or he has to fill the login details again to sign in.
What's your thoughts?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27331>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list