[wp-trac] [WordPress Trac] #61513: Attention points in Pentest
WordPress Trac
noreply at wordpress.org
Wed Jun 26 19:00:01 UTC 2024
#61513: Attention points in Pentest
---------------------------+-----------------------------
Reporter: raphaelsramos | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
---------------------------+-----------------------------
Team WP, good evening.
The security team of one of the projects I work on asked me to make some
adjustments to increase the security level, and this led me to edit some
WordPress Core files. I would like to see the possibility of including
them in the Core permanently, focusing on increasing community security.
1. Direct access to some files inside /wp-admin folder can lead to
exposure of sensible data:
- /wp-admin/admin-functions.php
- /wp-admin/admin-header.php
- /wp-admin/custom-background.php
- /wp-admin/custom-header.php
For adjust i've just add this code on top of file:
// Don't load directly.
if ( ! defined( 'ABSPATH' ) ) {
die( '-1' );
}
2. Direct access to /wp-admin/upgrade.php can exposure a WP installation.
To fix it i've add this code to /wp-admin/upgrade.php after the require of
the wp-load.ph file
if( !is_user_logged_in() ){
die( '-1' );
}
If possible, I would like to check the impact of the proposed adjustments
and, if they are within the standards, that they are added to the WP core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61513>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list