Critical vurnelability - logging in with username and password of another wordpress web site

[smartwater]

Hi there,

I have three wordpress web sites all three of them hosted by the same web hosting company.

Yesterday I noticed I logged in as administrator to web site #3 using user name and password of my web site #1.

I use opera browser, I saved those user names and passwords within Opera browser and for some weird reason opera offered me user name and password of my web site #1 when I wanted to log into web site #3. And it worked.

I am not very proficient with programming etc but things like that should not happen.

I use Wordfence plugin also another 2-3 plugins.

I hope this information will be useful.

Regards,

Milorad

[SergeyBiryukov]

Hi there, welcome to WordPress Trac!

When writing the ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the ​Security FAQ and visit the ​WordPress HackerOne program.

Worth noting that there are several possible explanations:

• If the sites are on a ​Multisite network, they have a shared users table.
• Single sites can also have a shared users table via the ​constants set in wp-config.php.
• The user could be created manually with the same credentials on more than one site.

If you think you have found a real security vulnerability, please head over to HackerOne, and do not post it here.

Thanks for your cooperation.