Make WordPress Core

{31} Tickets in the Security component (57 matches)

Arguments
Create a new ticket
  • Active tickets in the Security component
  • Grouped by workflow and sorted by type, summary
  • Accepted tickets have an '*' appended to their owner's name

Candidates for Closure (5 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#62202 allow plugin versions to be flagged as security updates normal normal Awaiting Review feature request close 10/10/2024
#61942 Add "no-store" to Cache-Control header to prevent unexpected cache behavior normal normal Awaiting Review defect (bug) reporter-feedback 12/06/2024
#31686 wp_authenticate_username_password() should check for a WP_Error object normal normal Awaiting Review defect (bug) reporter-feedback 08/06/2019
#50510 Improve security of wp_nonce implementation normal normal Awaiting Review enhancement reporter-feedback 11/19/2024
#62055 Put index.php into Public folder on the root directory normal normal Awaiting Review enhancement reporter-feedback 11/19/2024

Slated for Next Release (10 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#30465 Dashboard alert if a plugin/theme was removed from WordPress repo normal normal 6.8 feature request dev-feedback 01/15/2025
#61711 Password-protected pages lacking appropriate 'Cache-Control' request header johnbillion* normal normal 6.8 defect (bug) has-patch 12/13/2024
#62811 Update bundled root certificates for 6.8 normal normal 6.8 defect (bug) has-patch 01/16/2025
#62711 `external-http` test failures in 4.1-4.5 branches normal normal 6.8 defect (bug) has-patch 01/16/2025
#57304 Add SensitiveParameter attribute to DB connection and login variables normal normal 6.8 enhancement has-patch 10/01/2024
#21022 Use bcrypt for password hashing; updating old hashes johnbillion* normal normal 6.8 enhancement has-patch 01/15/2025
#58765 the_block_template_skip_link() - XSS vulnerability - Apply FIX normal normal 6.8 enhancement has-patch 11/19/2024
#61322 HTTPOnly attribute for WP Test Cookies normal normal 6.8 feature request has-patch 11/19/2024
#43936 Settings: Warn when open registration and new user default is privileged audrasjb* normal normal 6.8 feature request has-patch 10/25/2024
#62815 Explicitly require the `hash` extension johnbillion normal normal 6.8 task (blessed) has-patch 01/17/2025

Tickets Awaiting Review (28 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#41391 Links to media in password protected pages normal normal Awaiting Review defect (bug) 07/24/2017
#59824 PHP Warning raised in pluggable.php when passing NULL instead of a string normal normal Awaiting Review defect (bug) 11/07/2023
#53994 REST API requests with session cookies but an invalid/missing nonce are considered authenticated for most of the request normal normal Awaiting Review defect (bug) 08/24/2021
#56860 Sodium Compat library is improperly loaded normal normal Awaiting Review defect (bug) 11/19/2024
#62693 check if chmod is available to prevent Fatal Errors normal normal Awaiting Review defect (bug) 12/14/2024
#58679 meta key field in usermeta table should NOT use accent insensitive collations normal major Awaiting Review defect (bug) 10/30/2023
#57447 wp_ajax_inline_save function does not check if post has "public" or "show_ui" enabled normal normal Awaiting Review defect (bug) 01/11/2023
#62384 .htaccess lacks normal normal Awaiting Review enhancement 12/09/2024
#58636 Automatic Sanitization of Nonces in wp_verify_nonce normal normal Awaiting Review enhancement 06/26/2023
#40237 Educate users about modern password best-practices normal normal Awaiting Review enhancement 06/06/2022
#51611 Escape echoing Core functions normal normal Awaiting Review enhancement 10/24/2020
#43320 Harden API requests against man-in-the-middle attacks low minor Awaiting Review enhancement 02/18/2018
#51159 Let's expand our context specific escaping methods for wp_json_encode(). normal normal Awaiting Review enhancement 05/09/2024
#57424 Specific hook for Content Security Policy normal normal Awaiting Review enhancement 01/05/2023
#61706 Support for storing and getting encrypted options normal normal Awaiting Review enhancement 07/19/2024
#60470 Use `filter_input` instead of superglobals where possible normal normal Awaiting Review enhancement 02/09/2024
#36177 default htaccess should include security measures normal normal Awaiting Review enhancement 12/24/2024
#55514 2FA by default for WordPress normal normal Awaiting Review feature request 03/06/2023
#43215 Allow wp_kses to pass allowed CSS properties normal normal Awaiting Review feature request 01/16/2025
#53902 Automating the creation of inline javascript and inline stylesheet nonces or hashes normal normal Awaiting Review feature request 07/03/2024
#61640 Issues in edit_link Function: Inconsistent Return Values, Insufficient Permission Error Handling, and Data Sanitization normal major Awaiting Review defect (bug) has-patch 07/31/2024
#52333 Lack of the : entity on the list of allowed entity names in kses.php normal minor Awaiting Review defect (bug) has-patch 01/20/2021
#37264 Please do not chmod 666 the wp-config.php file on installation. normal normal Awaiting Review defect (bug) has-patch 03/22/2019
#53869 Post type / Taxonomy Label Hardening: Prevent Raw HTML tags in output / Media Library eval of HTML entities in label normal normal Awaiting Review defect (bug) has-patch 08/04/2021
#60864 URL sanitizing strips valid characters instead of encoding, documented use is invalid normal normal Awaiting Review defect (bug) has-patch 04/03/2024
#56521 wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed by / normal major Awaiting Review defect (bug) has-patch 09/06/2022
#37757 Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+ normal normal Awaiting Review enhancement has-patch 09/13/2017
#23165 Admin validation errors on form nonce element IDs (_wpnonce) normal normal Awaiting Review enhancement has-patch 02/08/2021

Tickets Needing Feedback (3 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#56141 Enhance installer security high major Future Release enhancement dev-feedback 12/31/2023
#37000 Support for the SameSite cookie attribute normal normal Future Release enhancement dev-feedback 06/06/2024
#29429 Support frame-ancestors directive over X-Frame-Options normal normal Future Release enhancement dev-feedback 07/29/2019

Tickets with Patches (4 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#51407 Remove inline event handlers and JavaScript URIs for Strict CSP-compatibility adamsilverstein normal normal Future Release enhancement dev-feedback 12/26/2023
#20140 Ask old password to change user password normal major Future Release feature request dev-feedback 07/28/2024
#53973 WordPress <= 5.8 - Authenticated Persistent XSS (User role name) normal normal Future Release defect (bug) has-patch 06/15/2024
#38474 wp_signups.activation_key stores activation keys in plain text SergeyBiryukov normal normal Future Release enhancement has-patch 04/23/2024

Unpatched Bugs (2 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#62134 Security Issue in WordPress Core normal normal defect (bug) 10/14/2024
#48955 WP 5.3.1 changes cause potential backwards compatibility breakage with kses normal normal Future Release defect (bug) 08/12/2020

Unpatched Enhancements (5 matches)

Ticket Summary Owner Priority Severity Milestone Type Workflow Modified
#28521 FORCE_SSL constant for really forcing SSL adamsilverstein normal normal Future Release enhancement 11/19/2024
#44058 Include security sniffs in PHPCS ruleset normal normal Future Release enhancement 05/16/2018
#36087 Migration plan from insecure RNG fallback normal normal Future Release enhancement 09/30/2020
#32067 Remove inline javascript from WP-Core to allow CSP protection normal normal Future Release feature request 06/18/2024
#51438 Use CSP directive upgrade-insecure-requests when using HTTPS normal normal Future Release enhancement needs-unit-tests 11/09/2021
Note: See TracReports for help on using and creating reports.