WordPress.org
Get WordPress

Make WordPress Core

{31} Tickets in the Security component (85 matches)

Arguments
Create a new ticket
  • Active tickets in the Security component
  • Grouped by workflow and sorted by type, summary
  • Accepted tickets have an '*' appended to their owner's name

Slated for Next Release (1 match)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#30465 Dashboard alert if a plugin/theme was removed from WordPress repo normal normal 6.5 feature request dev-feedback 09/18/2023

Tickets Awaiting Review (48 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#24907 Escape admin_url() when used for ajax_url in admin header normal normal Awaiting Review defect (bug) has-patch 06/04/2019
#58900 Escaping: Output String did not run through a proper escaping function normal normal Awaiting Review defect (bug) has-patch 07/25/2023
#58769 HTTP/3 Early-Data/0-RTT replay attack normal major Awaiting Review defect (bug) 07/10/2023
#52333 Lack of the : entity on the list of allowed entity names in kses.php normal minor Awaiting Review defect (bug) has-patch 01/20/2021
#41391 Links to media in password protected pages normal normal Awaiting Review defect (bug) 07/24/2017
#53618 Nonce use for AJAX calls interferes with page caching normal normal Awaiting Review defect (bug) 07/07/2021
#37559 Password protected pages require the password only once normal normal Awaiting Review defect (bug) 06/04/2019
#37264 Please do not chmod 666 the wp-config.php file on installation. normal normal Awaiting Review defect (bug) has-patch 03/22/2019
#53869 Post type / Taxonomy Label Hardening: Prevent Raw HTML tags in output / Media Library eval of HTML entities in label normal normal Awaiting Review defect (bug) has-patch 08/04/2021
#53994 REST API requests with session cookies but an invalid/missing nonce are considered authenticated for most of the request normal normal Awaiting Review defect (bug) 08/24/2021
#56860 Sodium Compat library is improperly loaded normal normal Awaiting Review defect (bug) 10/20/2022
#58771 Someone logged onto my WordPress Admin Site, changed the password, and created a User Registration normal normal Awaiting Review defect (bug) 07/10/2023
#53019 The _sanitize_text_fields function removing the octets that incorrectly work with Arabic RTL languages. normal normal Awaiting Review defect (bug) 03/14/2023
#59355 TypeError: Cannot read properties of undefined (reading 'hasClass') in wp-auth-check.min.js normal normal Awaiting Review defect (bug) 09/15/2023
#53973 WordPress <= 5.8 - Authenticated Persistent XSS (User role name) normal normal Awaiting Review defect (bug) dev-feedback 12/23/2022
#58916 Wrong User Password Reset normal normal Awaiting Review defect (bug) 07/29/2023
#34852 fix broken re-auth loop (due to expired session) normal normal Awaiting Review defect (bug) 06/04/2019
#55605 kses "selected" for option normal normal Awaiting Review defect (bug) has-patch 06/15/2022
#56391 safecss_filter_attr(): support rgba background-color normal normal Awaiting Review defect (bug) has-patch 11/30/2022
#57447 wp_ajax_inline_save function does not check if post has "public" or "show_ui" enabled normal normal Awaiting Review defect (bug) 01/11/2023
#56521 wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed by / normal major Awaiting Review defect (bug) has-patch 09/06/2022
#38260 A FORCE_SSL_CANONICAL constant normal normal Awaiting Review enhancement 06/04/2019
#38259 A FORCE_SSL_CONTENT constant normal normal Awaiting Review enhancement 06/04/2019
#38261 A FORCE_SSL_SCRIPTS constant normal normal Awaiting Review enhancement 06/04/2019
#37757 Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+ normal normal Awaiting Review enhancement has-patch 09/13/2017
#23165 Admin validation errors on form nonce element IDs (_wpnonce) normal normal Awaiting Review enhancement has-patch 02/08/2021
#58636 Automatic Sanitization of Nonces in wp_verify_nonce normal normal Awaiting Review enhancement 06/26/2023
#56785 Automatically catch potential security issues before release normal normal Awaiting Review enhancement 10/11/2022
#39656 Create a submenu item under About admin bar for security normal normal Awaiting Review enhancement 01/23/2017
#53296 Do trim $hook_name within add_action() and add_filter() function normal normal Awaiting Review enhancement has-patch 05/29/2021
#40237 Educate users about modern password best-practices normal normal Awaiting Review enhancement 06/06/2022
#51611 Escape echoing Core functions normal normal Awaiting Review enhancement 10/24/2020
#43320 Harden API requests against man-in-the-middle attacks low minor Awaiting Review enhancement 02/18/2018
#50510 Improve security of wp_nonce implementation normal normal Awaiting Review enhancement dev-feedback 07/11/2023
#51159 Let's expand our context specific escaping methods for wp_json_encode(). normal normal Awaiting Review enhancement 08/27/2020
#52544 Removing database tables allows anyone to take over all website files normal major Awaiting Review enhancement 07/05/2022
#57424 Specific hook for Content Security Policy normal normal Awaiting Review enhancement 01/05/2023
#54512 Suggestion for file protection normal normal Awaiting Review enhancement 11/25/2021
#38262 Task: Opt in SSL Improvements normal normal Awaiting Review enhancement 02/05/2020
#36177 default htaccess should include security measures normal normal Awaiting Review enhancement 11/09/2021
#58765 the_block_template_skip_link() - XSS vulnerability - Apply FIX normal normal Awaiting Review enhancement has-patch 07/08/2023
#54280 wp_verify_nonce should return a filter normal normal Awaiting Review enhancement 10/17/2021
#55514 2FA by default for WordPress normal normal Awaiting Review feature request 03/06/2023
#43215 Allow wp_kses to pass allowed CSS properties normal normal Awaiting Review feature request 02/02/2018
#53902 Automating the creation of inline javascript and inline stylesheet nonces or hashes normal normal Awaiting Review feature request 01/03/2022
#55950 FIDO passwordless authentication? normal minor Awaiting Review feature request 06/08/2022
#38536 Hook/Function to Set Content-Security-Policy normal normal Awaiting Review feature request 06/04/2019
#50613 disable update for themes e plugin normal normal Awaiting Review feature request 07/09/2020

Candidates for Closure (13 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#46792 CPANEL Directory Privacy DoesNOT work With WordPress Admin Directory normal blocker Awaiting Review defect (bug) reporter-feedback 04/05/2019
#44637 Escape strings in wp-admin/themes.php normal normal Awaiting Review defect (bug) reporter-feedback 06/07/2021
#50027 Retire Phpass and use PHP native password hashing normal normal Awaiting Review defect (bug) needs-unit-tests 05/08/2023
#57882 User that has capability to create user can make only administrator. normal normal Awaiting Review defect (bug) reporter-feedback 03/07/2023
#57613 my client made changes to site without being a user normal normal Awaiting Review defect (bug) close 02/02/2023
#31686 wp_authenticate_username_password() should check for a WP_Error object normal normal Awaiting Review defect (bug) reporter-feedback 08/06/2019
#37670 wp_validate_redirect fails when running WordPress on a port normal normal Awaiting Review defect (bug) reporter-feedback 06/04/2019
#52639 Add proper Security Attributes to the Cookies set by WordPress normal normal Awaiting Review enhancement reporter-feedback 06/20/2022
#56160 Deprecate wp_sanitize_redirect normal normal Awaiting Review enhancement dev-feedback 07/09/2022
#55067 Use of undefined constant ABSPATH - assumed 'ABSPATH' as of WP5.9 normal normal Awaiting Review enhancement dev-feedback 06/12/2023
#47440 add_header X-Frame-Options normal normal Awaiting Review enhancement close 05/31/2019
#56335 use hash_equals to check password hash normal trivial Awaiting Review enhancement close 10/12/2022
#55228 Provide Option to Remove Password Visibility Button and Dashicons from WordPress' Login Form normal normal Awaiting Review feature request close 02/25/2022

Tickets Needing Feedback (6 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#15394 Ancient "Are you sure you want to do this" now confusing normal minor Future Release defect (bug) dev-feedback 05/17/2019
#16483 Visibility: password-protected exposes multiple pages normal normal Future Release defect (bug) dev-feedback 01/30/2022
#56141 Enhance installer security high major Future Release enhancement dev-feedback 09/09/2023
#37000 Support for the SameSite cookie attribute normal normal Future Release enhancement dev-feedback 11/11/2022
#29429 Support frame-ancestors directive over X-Frame-Options normal normal Future Release enhancement dev-feedback 07/29/2019
#21022 Use bcrypt for password hashing; updating old hashes normal major Future Release enhancement dev-feedback 05/08/2023

Tickets with Patches (7 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#50828 Update ca-bundle.crt and remove expired certificates SergeyBiryukov normal normal Future Release defect (bug) has-patch 11/10/2021
#57304 Add SensitiveParameter attribute to DB connection and login variables normal normal Future Release enhancement has-patch 02/28/2023
#51407 Remove inline event handlers and JavaScript URIs for Strict CSP-compatibility adamsilverstein normal normal Future Release enhancement dev-feedback 05/16/2023
#38474 wp_signups.activation_key stores activation keys in plain text SergeyBiryukov normal normal Future Release enhancement has-patch 01/08/2019
#37604 'Password Lost/Changed' emails should give indication of the strength of the new password normal normal Future Release feature request dev-feedback 04/09/2018
#20140 Ask old password to change user password normal normal Future Release feature request dev-feedback 06/04/2019
#43936 Settings: Warn when open registration and new user default is privileged SergeyBiryukov normal major Future Release feature request has-patch 03/30/2023

Unpatched Bugs (2 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#34041 Tying nonces to sessions breaks when users are switched normal major Future Release defect (bug) 06/04/2019
#48955 WP 5.3.1 changes cause potential backwards compatibility breakage with kses normal normal Future Release defect (bug) 08/12/2020

Unpatched Enhancements (8 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#57875 Add password strength meter for password protected content normal normal Future Release enhancement 06/01/2023
#28521 FORCE_SSL constant for really forcing SSL adamsilverstein normal normal Future Release enhancement 06/08/2023
#44058 Include security sniffs in PHPCS ruleset normal normal Future Release enhancement 05/16/2018
#36087 Migration plan from insecure RNG fallback normal normal Future Release enhancement 09/30/2020
#51438 Use CSP directive upgrade-insecure-requests when using HTTPS normal normal Future Release enhancement needs-unit-tests 11/09/2021
#52388 Use HTTPS URL already during installation if supported normal normal Future Release enhancement needs-unit-tests 01/28/2021
#32067 Remove inline javascript from WP-Core to allow CSP protection normal normal Future Release feature request 09/28/2020
#50437 Add leniency to the overdue check for plugin and theme auto updates normal normal Future Release task (blessed) 07/14/2020
Note: See TracReports for help on using and creating reports.