[wp-trac] [WordPress Trac] #45334: User with admin capabilities created via POST?
WordPress Trac
noreply at wordpress.org
Mon Nov 12 23:01:29 UTC 2018
#45334: User with admin capabilities created via POST?
---------------------------------+-----------------------------
Reporter: miloszryckobozenski | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.9.8
Severity: critical | Keywords:
Focuses: |
---------------------------------+-----------------------------
Wordpress 4.9.8.
WPScan shows two issues:
[!] Detected 2 users from RSS feed:
[!] Full Path Disclosure (FPD) in 'https://embraceyourlife.pl/wp-includes
/rss-functions.php': /home/hl2404/domains/embraceyourlife.pl/public_html
/wp-includes/rss-functions.php
Plugins, themes, core in newest versions.
Nothing more.
I got e-mail with notification that user with admin caps was created.
In logs I found only:
174.142.75.169 - - [12/Nov/2018:23:12:08 +0100] "POST /wp-
login.php?action=register HTTP/1.1" 302 4351 "-" "python-requests/2.18.1"
174.142.75.169 - - [12/Nov/2018:23:12:13 +0100] "GET /wp-
login.php?checkemail=registered HTTP/1.1" 200 2789 "-" "python-
requests/2.18.1"
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45334>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list