[wp-trac] [WordPress Trac] #50274: Database upgrade without an admin session
WordPress Trac
noreply at wordpress.org
Thu May 28 06:54:05 UTC 2020
#50274: Database upgrade without an admin session
--------------------------+-----------------------------
Reporter: vipestudio | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Recently I experienced an interesting breach in WordPress security, which
I haven’t found discussed anywhere yet (excuse me if so!).
It seems WordPress allows any single visitor to perform a database upgrade
after a core system upgrade.
How is this possible?
In order to notice this your WordPress installation had to be updated
recently with a version jump that requires database upgrade as well. This
can happen even by itself because the majority of WordPress installations
are upgrading by themselves using the wp-cron.
So let’s say your WordPress has been recently updated from v 4.9 to 5.4.
Then the upgrade is usually finished with this screen, asking you to
upgrade the database.
This seems pretty normal and straight forward. Yes, for sure if you are a
logged-in the administrator that just performed the upgrade.
The problem – you don’t have to be logged to perform this
However, if you decide to destroy your session and open the /wp-admin as a
guest visitor – you will notice the same screen. We attach it with a
screenshot of our active cookies. No logged-in session is present as you
can see.
That doesn’t seem so right. Let’s watch the whole process with the cookies
tab opened in our specially recorded for the case YouTube video.
https://www.youtube.com/watch?v=sODsvSykUqw&feature=emb_title
As you can see we first performed the database upgrade as a guest visitor
and after that, we logged ourselves in the admin area.
I don't consider this a hacker thing, but more like not following good
practices.
I would like to personally fix the code, how can I contribute?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50274>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list