Opened 9 years ago
Last modified 6 years ago
#36779 new defect (bug)
Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-includes
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.4.2 |
| Component: | Script Loader | Keywords: | |
| Focuses: | Cc: |
Description
Basically these files are inside /wp-admin directory, but you can hit them and get an output without being authenticated,
examples:
http://somedomain.usingwp.com/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,svg-painter,heartbeat,wp-auth-check&ver=4.4.2
http://somedomain.usingwp.com/wp-admin/load-styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=4.4.2
If these scripts are for use inside admin, why authentication isn't required?,
if these scripts are for general use on the admin, themes, etc, why these aren't on wp-includes?
This was pointed to me on a security scan, and apart from that if the idea is general use for this, I think hosting these on /wp-admin is misleading.