WordPress.org

Make WordPress Core

{31} Tickets in the Security component (50 matches)

Arguments
Create a new ticket
  • Active tickets in the Security component
  • Grouped by workflow and sorted by type, summary
  • Accepted tickets have an '*' appended to their owner's name

Slated for Next Release (4 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#50828 Update ca-bundle.crt and remove expired certificates SergeyBiryukov normal normal 5.6 defect (bug) commit 10/27/2020
#5272 WordPress allows anonymous user to see slug for private post by guessing post number SergeyBiryukov normal normal 5.6 defect (bug) has-patch 08/15/2020
#39941 Allow using Content-Security-Policy without unsafe-inline normal normal 5.7 enhancement has-patch 10/23/2020
#47577 Detect HTTPS support and provide guidance flixos90 normal normal 5.7 enhancement has-patch 10/20/2020

Tickets Awaiting Review (23 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#24907 Escape admin_url() when used for ajax_url in admin header normal normal Awaiting Review defect (bug) has-patch 06/04/2019
#41391 Links to media in password protected pages normal normal Awaiting Review defect (bug) 07/24/2017
#37559 Password protected pages require the password only once normal normal Awaiting Review defect (bug) 06/04/2019
#37264 Please do not chmod 666 the wp-config.php file on installation. normal normal Awaiting Review defect (bug) has-patch 03/22/2019
#34852 fix broken re-auth loop (due to expired session) normal normal Awaiting Review defect (bug) 06/04/2019
#38260 A FORCE_SSL_CANONICAL constant normal normal Awaiting Review enhancement 06/04/2019
#38259 A FORCE_SSL_CONTENT constant normal normal Awaiting Review enhancement 06/04/2019
#38261 A FORCE_SSL_SCRIPTS constant normal normal Awaiting Review enhancement 06/04/2019
#37757 Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+ normal normal Awaiting Review enhancement has-patch 09/13/2017
#23165 Admin validation errors on form nonce element IDs (_wpnonce) normal normal Awaiting Review enhancement has-patch 10/15/2020
#39656 Create a submenu item under About admin bar for security normal normal Awaiting Review enhancement 01/23/2017
#40237 Educate users about modern password best-practices normal normal Awaiting Review enhancement 02/09/2018
#51611 Escape echoing Core functions normal normal Awaiting Review enhancement 10/24/2020
#43320 Harden API requests against man-in-the-middle attacks low minor Awaiting Review enhancement 02/18/2018
#51159 Let's expand our context specific escaping methods for wp_json_encode(). normal normal Awaiting Review enhancement 08/27/2020
#51437 Streamline migrating from HTTP to HTTPS flixos90 normal normal Awaiting Review enhancement needs-unit-tests 10/02/2020
#38262 Task: Opt in SSL Improvements normal normal Awaiting Review enhancement 02/05/2020
#51438 Use CSP directive upgrade-insecure-requests when using HTTPS normal normal Awaiting Review enhancement needs-unit-tests 10/08/2020
#37941 add rel="noopener noreferrer" to any target="_blank" nicolapeluchetti normal normal Awaiting Review enhancement has-patch 10/19/2020
#36177 default htaccess should include security measures normal normal Awaiting Review enhancement 02/05/2020
#43215 Allow wp_kses to pass allowed CSS properties normal normal Awaiting Review feature request 02/02/2018
#38536 Hook/Function to Set Content-Security-Policy normal normal Awaiting Review feature request 06/04/2019
#50613 disable update for themes e plugin normal normal Awaiting Review feature request 07/09/2020

Candidates for Closure (8 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#46792 CPANEL Directory Privacy DoesNOT work With WordPress Admin Directory normal blocker Awaiting Review defect (bug) reporter-feedback 04/05/2019
#44637 Escape strings in wp-admin/themes.php normal normal Awaiting Review defect (bug) reporter-feedback 07/24/2018
#50027 Retire Phpass and use PHP native password hashing normal normal Awaiting Review defect (bug) needs-unit-tests 04/29/2020
#31686 wp_authenticate_username_password() should check for a WP_Error object normal normal Awaiting Review defect (bug) reporter-feedback 08/06/2019
#37670 wp_validate_redirect fails when running WordPress on a port normal normal Awaiting Review defect (bug) reporter-feedback 06/04/2019
#50510 Improve security of wp_nonce implementation normal normal Awaiting Review enhancement reporter-feedback 08/20/2020
#51407 Remove inline event handlers and JavaScript URIs for Strict CSP-compatibility adamsilverstein normal normal Awaiting Review enhancement dev-feedback 10/15/2020
#47440 add_header X-Frame-Options normal normal Awaiting Review enhancement close 05/31/2019

Tickets Needing Feedback (5 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#15394 Ancient "Are you sure you want to do this" now confusing normal minor Future Release defect (bug) dev-feedback 05/17/2019
#16483 Visibility: password-protected exposes multiple pages normal normal Future Release defect (bug) dev-feedback 09/26/2018
#37000 Support for the SameSite cookie attribute normal normal Future Release enhancement dev-feedback 08/27/2020
#29429 Support frame-ancestors directive over X-Frame-Options normal normal Future Release enhancement dev-feedback 07/29/2019
#21022 Use bcrypt for password hashing; updating old hashes normal major Future Release enhancement dev-feedback 08/02/2020

Tickets with Patches (3 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#38474 wp_signups.activation_key stores activation keys in plain text SergeyBiryukov normal normal Future Release enhancement has-patch 01/08/2019
#37604 'Password Lost/Changed' emails should give indication of the strength of the new password normal normal Future Release feature request dev-feedback 04/09/2018
#20140 Ask old password to change user password normal normal Future Release feature request dev-feedback 06/04/2019

Unpatched Bugs (2 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#34041 Tying nonces to sessions breaks when users are switched normal major Future Release defect (bug) 06/04/2019
#48955 WP 5.3.1 changes cause potential backwards compatibility breakage with kses normal normal Future Release defect (bug) 08/12/2020

Unpatched Enhancements (5 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#28521 FORCE_SSL constant for really forcing SSL normal normal Future Release enhancement 07/01/2019
#44058 Include security sniffs in PHPCS ruleset normal normal Future Release enhancement 05/16/2018
#36087 Migration plan from insecure RNG fallback normal normal Future Release enhancement 09/30/2020
#32067 Remove inline javascript from WP-Core to allow CSP protection normal normal Future Release feature request 09/28/2020
#50437 Add leniency to the overdue check for plugin and theme auto updates normal normal Future Release task (blessed) 07/14/2020
Note: See TracReports for help on using and creating reports.