WordPress.org
Get WordPress

Make WordPress Core

{31} Tickets in the Security component (54 matches)

Arguments
Create a new ticket
  • Active tickets in the Security component
  • Grouped by workflow and sorted by type, summary
  • Accepted tickets have an '*' appended to their owner's name

Slated for Next Release (3 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#64789 Security audit for API key storage on the Connectors screen normal normal 7.0 task (blessed) dev-feedback 04/19/2026
#64245 Update bundled root certificates for 7.0 desrosj normal normal 7.0 task (blessed) has-patch 04/01/2026
#64969 Update bundled root certificates for 7.1 normal normal 7.1 task (blessed) 03/27/2026

Tickets Awaiting Review (30 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#65054 $_GET['pagenow'] and $_GET['widget'] unsanitized in dashboard AJAX handler rajeshcp normal major Awaiting Review defect (bug) has-patch 04/09/2026
#52333 Lack of the : entity on the list of allowed entity names in kses.php normal minor Awaiting Review defect (bug) has-patch 01/20/2021
#41391 Links to media in password protected pages normal normal Awaiting Review defect (bug) 07/24/2017
#65052 Nonce check order flaw in post-quickdraft-save rajeshcp normal major Awaiting Review defect (bug) has-patch 04/09/2026
#37264 Please do not chmod 666 the wp-config.php file on installation. normal normal Awaiting Review defect (bug) has-patch 03/22/2019
#53869 Post type / Taxonomy Label Hardening: Prevent Raw HTML tags in output / Media Library eval of HTML entities in label normal normal Awaiting Review defect (bug) has-patch 08/04/2021
#63940 Prevent POST flood cache bypass attacks normal normal Awaiting Review defect (bug) 09/06/2025
#53994 REST API requests with session cookies but an invalid/missing nonce are considered authenticated for most of the request normal normal Awaiting Review defect (bug) 08/24/2021
#63259 Replace zxcvbn with zxcvbn-ts normal normal Awaiting Review defect (bug) 04/11/2025
#56860 Sodium Compat library is improperly loaded normal normal Awaiting Review defect (bug) 11/19/2024
#60864 URL sanitizing strips valid characters instead of encoding, documented use is invalid normal normal Awaiting Review defect (bug) has-patch 01/04/2026
#62693 check if chmod is available to prevent Fatal Errors normal normal Awaiting Review defect (bug) 12/14/2024
#58679 meta key field in usermeta table should NOT use accent insensitive collations normal major Awaiting Review defect (bug) 08/19/2025
#57447 wp_ajax_inline_save function does not check if post has "public" or "show_ui" enabled normal normal Awaiting Review defect (bug) 01/11/2023
#56521 wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed by / normal major Awaiting Review defect (bug) has-patch 09/06/2022
#62384 .htaccess lacks normal normal Awaiting Review enhancement 12/09/2024
#23165 Admin validation errors on form nonce element IDs (_wpnonce) normal normal Awaiting Review enhancement has-patch 02/08/2021
#58636 Automatic Sanitization of Nonces in wp_verify_nonce normal normal Awaiting Review enhancement 06/26/2023
#40237 Educate users about modern password best-practices normal normal Awaiting Review enhancement 06/06/2022
#51611 Escape echoing Core functions normal normal Awaiting Review enhancement 10/24/2020
#64481 Explore Sec-Fetch Headers as a Core-Supported CSRF Mitigation Mechanism normal normal Awaiting Review enhancement 01/08/2026
#43320 Harden API requests against man-in-the-middle attacks low minor Awaiting Review enhancement 02/18/2018
#51159 Let's expand our context specific escaping methods for wp_json_encode(). normal normal Awaiting Review enhancement 01/15/2026
#57424 Specific hook for Content Security Policy normal normal Awaiting Review enhancement 01/05/2023
#60470 Use `filter_input` instead of superglobals where possible normal normal Awaiting Review enhancement 02/09/2024
#63329 Use check_ajax_referer() instead of check_admin_referer() for AJAX requests in media form handling. normal normal Awaiting Review enhancement has-patch 04/22/2025
#36177 default htaccess should include security measures normal normal Awaiting Review enhancement 12/24/2024
#55514 2FA by default for WordPress normal normal Awaiting Review feature request 03/06/2023
#43215 Allow wp_kses to pass allowed CSS properties normal normal Awaiting Review feature request 11/19/2025
#53902 Automating the creation of inline javascript and inline stylesheet nonces or hashes normal normal Awaiting Review feature request 07/03/2024

Candidates for Closure (7 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#63457 WordPress 6.8 will fail creating bcrypt when entropy sources are not available normal normal Awaiting Review defect (bug) reporter-feedback 05/18/2025
#31686 wp_authenticate_username_password() should check for a WP_Error object normal normal Awaiting Review defect (bug) reporter-feedback 08/06/2019
#63727 A new function to sanitize an array normal normal Awaiting Review enhancement dev-feedback 07/28/2025
#37757 Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+ normal normal Awaiting Review enhancement dev-feedback 04/24/2025
#62949 HttpOnly flag for the post password cookie normal normal Awaiting Review enhancement dev-feedback 02/12/2025
#61706 Support for storing and getting encrypted options normal normal Awaiting Review enhancement dev-feedback 02/18/2025
#62202 allow plugin versions to be flagged as security updates normal normal Awaiting Review feature request close 10/10/2024

Tickets Needing Feedback (4 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#56141 Enhance installer security high major Future Release enhancement dev-feedback 08/30/2025
#37000 Support for the SameSite cookie attribute normal normal Future Release enhancement dev-feedback 06/06/2024
#38474 wp_signups.activation_key stores activation keys in plain text SergeyBiryukov normal normal Future Release enhancement dev-feedback 06/20/2025
#30465 Dashboard alert if a plugin/theme was removed from WordPress repo normal normal Future Release feature request dev-feedback 02/24/2026

Tickets with Patches (4 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#53973 WordPress <= 5.8 - Authenticated Persistent XSS (User role name) normal normal Future Release defect (bug) has-patch 03/12/2025
#56391 safecss_filter_attr(): support rgba background-color normal normal defect (bug) has-patch 02/13/2026
#51407 Remove inline event handlers and JavaScript URIs for Strict CSP-compatibility adamsilverstein normal normal Future Release enhancement dev-feedback 12/26/2023
#20140 Ask old password to change user password normal major Future Release feature request dev-feedback 07/28/2024

Unpatched Bugs (1 match)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#62134 Security Issue in WordPress Core normal normal defect (bug) 10/14/2024

Unpatched Enhancements (5 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#28521 FORCE_SSL constant for really forcing SSL adamsilverstein normal normal Future Release enhancement 11/19/2024
#44058 Include security sniffs in PHPCS ruleset normal normal Future Release enhancement 05/16/2018
#36087 Migration plan from insecure RNG fallback normal normal Future Release enhancement 09/30/2020
#51438 Use CSP directive upgrade-insecure-requests when using HTTPS normal normal Future Release enhancement needs-unit-tests 11/09/2021
#32067 Remove inline javascript from WP-Core to allow CSP protection normal normal Future Release feature request 10/21/2025
Note: See TracReports for help on using and creating reports.