[wp-trac] [WordPress Trac] #44935: Automated test's suggesting /wp-login.php?action=lostpassword can be used for compromizing site

WordPress Trac noreply at wordpress.org
Wed Sep 12 14:07:21 UTC 2018


#44935: Automated test's suggesting /wp-login.php?action=lostpassword can be used
for compromizing site
------------------------------------+----------------------
 Reporter:  wzislam                 |       Owner:  (none)
     Type:  defect (bug)            |      Status:  closed
 Priority:  normal                  |   Milestone:
Component:  Login and Registration  |     Version:  4.9.8
 Severity:  normal                  |  Resolution:  invalid
 Keywords:                          |     Focuses:
------------------------------------+----------------------
Changes (by swissspidy):

 * status:  new => closed
 * severity:  major => normal
 * component:  Security => Login and Registration
 * milestone:  Awaiting Review =>
 * keywords:  needs-testing =>
 * resolution:   => invalid


Comment:

 Hi there!

 When creating a ticket, there was a big warning saying "Do not report
 potential security vulnerabilities here.".

 Next time when you create a ticket that's about security, please think
 twice whether it's a potential security vulnerability and report it
 responsibly at https://hackerone.com/wordpress.

 Ideally, you manually verify the result of your automated scanner. Because
 in this case, this is a false positive and no real path disclosure issue.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44935#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list