[wp-trac] [WordPress Trac] #45334: User with admin capabilities created via POST?

Mon Nov 12 23:49:48 UTC 2018

#45334: User with admin capabilities created via POST?
---------------------------------+----------------------
 Reporter:  miloszryckobozenski  |       Owner:  (none)
     Type:  defect (bug)         |      Status:  closed
 Priority:  normal               |   Milestone:
Component:  General              |     Version:  4.9.8
 Severity:  normal               |  Resolution:  invalid
 Keywords:                       |     Focuses:
---------------------------------+----------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => invalid
 * severity:  critical => normal
 * milestone:  Awaiting Review =>

Comment:

 Hi @miloszryckobozenski,

 > I got e-mail with notification that user with admin caps was created.

 Unfortunately you'll probably find that two settings have been altered on
 your install, on the Settings -> General page, ensure that
  - "Members can register" is disabled (Unless you specifically want to
 have users register)
  - "New User Default Role" is set to something sane (By default,
 'Subscriber', and not 'Administrator' as I believe it was when the user
 was registered)

 Although all your plugins are up to date, it's likely been caused by a
 recent plugin vulnerability which allowed those settings to be changed at
 a previous date (before the plugin update) and it's just now being
 exploited by a user registration being made.

 I'd recommend checking your other registered users as well and treat the
 site as hacked, check for other plugins, check for malicious code added to
 themes.

 Trac isn't a support avenue however, The [https://wordpress.org/support/
 Support Forums] may be able to further assist, plus the WordPress Codex
 has a page on what to do next:
 https://codex.wordpress.org/FAQ_My_site_was_hacked

 > [!] Full Path Disclosure (FPD)

 WordPress doesn't consider FPD to be a valid concern for the software, and
 recommends disabling the `display_errors` PHP directive in production.
 While I'll agree that it could be an "easy fix" it's not something that
 we're currently interested in.

 https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-
 certain-files

 I'm marking this as invalid, as unfortunately there's nothing included
 which is a bug in WordPress, just the unfortunate side effects from a bad
 plugin allowing a bad actor to alter settings and create users.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45334#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform