Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#49315 closed defect (bug) (invalid)

Critical vurnelability - logging in with username and password of another wordpress web site

Reported by: smartwater's profile smartwater Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: Cc:


Hi there,

I have three wordpress web sites all three of them hosted by the same web hosting company.

Yesterday I noticed I logged in as administrator to web site #3 using user name and password of my web site #1.

I use opera browser, I saved those user names and passwords within Opera browser and for some weird reason opera offered me user name and password of my web site #1 when I wanted to log into web site #3. And it worked.

I am not very proficient with programming etc but things like that should not happen.

I use Wordfence plugin also another 2-3 plugins.

I hope this information will be useful.



Change History (1)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Users
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

When writing the ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Worth noting that there are several possible explanations:

If you think you have found a real security vulnerability, please head over to HackerOne, and do not post it here.

Thanks for your cooperation.

Note: See TracTickets for help on using tickets.