Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#47412 closed defect (bug) (invalid)

home pages of sites under maintenance can be displayed by adding /?wp-login.php to url

Reported by: sportair's profile sportair Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I have discovered by accident that adding /?wp-login.php to the url of a site in maintenance mode allows the site home page to be displayed. no further navigation is possible.

Since discovering this today I have successfully displayed the home page on several different sites while in maintenance mode.

Regards

Chris

Change History (1)

#1 @dd32
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @sportair,

WordPress doesn't include any Maintenance Mode functionality by default, so I'm assuming the sites in question are using a plugin.

This trac isn't for reporting security issues, let alone plugin security issues.
For details on how to report such issues, please see these handbooks:
https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

Note: See TracTickets for help on using tickets.