[wp-trac] [WordPress Trac] #49315: Critical vurnelability - logging in with username and password of another wordpress web site
WordPress Trac
noreply at wordpress.org
Tue Jan 28 18:32:59 UTC 2020
#49315: Critical vurnelability - logging in with username and password of another
wordpress web site
--------------------------+----------------------
Reporter: smartwater | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Users | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by SergeyBiryukov):
* status: new => closed
* resolution: => invalid
* component: General => Users
* milestone: Awaiting Review =>
Comment:
Hi there, welcome to WordPress Trac!
When writing the ticket you should have seen this notice:
> **Do not report potential security vulnerabilities here.**
> See the [https://make.wordpress.org/core/handbook/reporting-security-
vulnerabilities/ Security FAQ] and visit the
[https://hackerone.com/wordpress WordPress HackerOne program].
Worth noting that there are several possible explanations:
* If the sites are on a
[https://wordpress.org/support/article/create-a-network/ Multisite
network], they have a shared users table.
* Single sites can also have a shared users table via the
[https://wordpress.org/support/article/editing-wp-config-php/#custom-user-
and-usermeta-tables constants set in wp-config.php].
* The user could be created manually with the same credentials on more
than one site.
If you think you have found a real security vulnerability, please head
over to HackerOne, and do not post it here.
Thanks for your cooperation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49315#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list