Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#44663 closed defect (bug) (duplicate)

Disallow direct access to wp-includes php files

Reported by: lucasbustamante's profile lucasbustamante Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.7
Component: General Keywords:
Focuses: Cc:


Running WP Scan on my website, I saw a full path disclosure vulnerability under wp-includes/rss-functions.php

Error code:

Call to undefined function _deprecated_file() in /home/mydomain/public_html/wp-includes/rss-functions.php on line 8

This is it's source code:

 * Deprecated. Use rss.php instead.
 * @package WordPress
_deprecated_file( basename(__FILE__), '2.1.0', WPINC . '/rss.php' );
require_once( ABSPATH . WPINC . '/rss.php' );

A lot of files under wp-includes look similar to this one.

I wonder if it would make sense to prevent direct access to these files, since it uses _deprecated_file() function, which is loaded with WordPress.

if ( ! defined( 'ABSPATH' ) ) exit;

I have turned off display_errors on my website, but still, makes sense to me. Other people are having this issue, and many others don't even know what WP Scan is and are vulnerable without even knowing.

Change History (1)

#1 @swissspidy
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hey there

This has come up many times before, for example in #36177 and #30806.

Path disclosure is a server configuration problem. Never enable display_errors on a production site. See Security FAQ.

Note: See TracTickets for help on using tickets.