[wp-trac] [WordPress Trac] #46883: Blog Configs being overridden by Hacker Bots
WordPress Trac
noreply at wordpress.org
Thu Apr 11 15:59:11 UTC 2019
#46883: Blog Configs being overridden by Hacker Bots
-------------------------------+-----------------------------
Reporter: zsystech | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 5.1
Severity: critical | Keywords:
Focuses: |
-------------------------------+-----------------------------
We consider this as a Bug since no malicious damages to Sites or Servers
have been found.
We have multiples of instances on sites where Robots can Auto Submit posts
to Blog pages even though the sites are configured not to allow public
posts/discussion. Currently we have over a dozen end users that have
reached out to us to make sure their sites have not been hacked.
Main configuration: Configured not to allow Posts/Discussion and not to
allow Posts by anyone not logged in. User account creation is also turned
off. Thankfully some of these sites are setup to be moderated and these
malicious posts only have been caught this way, however the end users that
are not moderating are seeing an increase in issues with this
Bug/Backdoor.
This is happening with sites with multiple theme types, Multiple versions
of PHP, and also Multiple Web Server Platforms. At first I thought maybe
it was a Theme issue working with the Core, however further research from
dealing with other end users is showing that it looks related to the Core,
since multiple Theme types are being used by multiple end users, However
to try and rule out any CORE Issue we are having End Users send us their
Web Server, PHP, and Database Logs to research this issue deeper.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46883>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list