[wp-trac] [WordPress Trac] #36779: Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-includes
WordPress Trac
noreply at wordpress.org
Fri May 6 18:26:47 UTC 2016
#36779: Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-
includes
---------------------------+-----------------------------
Reporter: SaulNunez | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version: 4.4.2
Severity: normal | Keywords:
Focuses: |
---------------------------+-----------------------------
Basically these files are inside /wp-admin directory, but you can hit them
and get an output without being authenticated,
examples:
http://somedomain.usingwp.com/wp-admin/load-
scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,svg-
painter,heartbeat,wp-auth-check&ver=4.4.2
http://somedomain.usingwp.com/wp-admin/load-
styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-
check&ver=4.4.2
If these scripts are for use inside admin, why authentication isn't
required?,
if these scripts are for general use on the admin, themes, etc, why these
aren't on wp-includes?
This was pointed to me on a security scan, and apart from that if the idea
is general use for this, I think hosting these on /wp-admin is misleading.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36779>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list