WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 4 months ago

#36779 new defect (bug)

Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-includes

Reported by: SaulNunez Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.2
Component: Script Loader Keywords:
Focuses: Cc:
PR Number:

Description

Basically these files are inside /wp-admin directory, but you can hit them and get an output without being authenticated,

examples:
http://somedomain.usingwp.com/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,svg-painter,heartbeat,wp-auth-check&ver=4.4.2
http://somedomain.usingwp.com/wp-admin/load-styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=4.4.2

If these scripts are for use inside admin, why authentication isn't required?,
if these scripts are for general use on the admin, themes, etc, why these aren't on wp-includes?

This was pointed to me on a security scan, and apart from that if the idea is general use for this, I think hosting these on /wp-admin is misleading.

Change History (0)

Note: See TracTickets for help on using tickets.