[wp-trac] [WordPress Trac] #54146: Session not expired on logout
WordPress Trac
noreply at wordpress.org
Sun Sep 19 09:08:48 UTC 2021
#54146: Session not expired on logout
--------------------------+------------------------------
Reporter: farhin28 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: critical | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Changes (by farhin28):
* Attachment "Wordpress.rar" removed.
Hi, There is a session management vulnerability in your website. i.e.
user's session is not expiring immediately after the logout. There is no
session expiry after log-out which can help an attacker to take-over the
full account by reusing it. The JSESSIONID which is vulnerable can be used
unlimited times even after the password change. The server will keep on
creating an unlimited number of sessions after each log-in which will
never expire and can be reused again and again. The URL is having the
session which can be captured by an attacker, URL should not contain any
sensitive information.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54146>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list