Opened 8 months ago
Last modified 8 months ago
#61513 new defect (bug)
Attention points in Pentest
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
Team WP, good evening.
The security team of one of the projects I work on asked me to make some adjustments to increase the security level, and this led me to edit some WordPress Core files. I would like to see the possibility of including them in the Core permanently, focusing on increasing community security.
- Direct access to some files inside /wp-admin folder can lead to exposure of sensible data:
- /wp-admin/admin-functions.php
- /wp-admin/admin-header.php
- /wp-admin/custom-background.php
- /wp-admin/custom-header.php
For adjust i've just add this code on top of file:
Don't load directly.
if ( ! defined( 'ABSPATH' ) ) {
die( '-1' );
}
- Direct access to /wp-admin/upgrade.php can exposure a WP installation. To fix it i've add this code to /wp-admin/upgrade.php after the require of the wp-load.ph file
if( !is_user_logged_in() ){
die( '-1' );
}
If possible, I would like to check the impact of the proposed adjustments and, if they are within the standards, that they are added to the WP core.
Note: See
TracTickets for help on using
tickets.
HI @raphaelsramos
point 1 already covered in #61314
point 2 : WordPress includes security measures to protect sensitive operations like upgrades.
These typically include nonce checks (to prevent cross-site request forgery) and capability checks,
While accessing upgrade.php directly is not a security risk in itself,
it's always important to keep your WordPress installation updated to the latest version to mitigate potential security vulnerabilities.
WordPress can also be upgraded using the Command Line Interface (CLI) without needing to be logged into the admin dashboard for that case,
If the following line of code is added to upgrade.php, and the user is not logged in, they will be redirected to wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2F, and the screen will remain blank
so for that who install wordpress after loggedin that will work but ff WordPress upgrade process is initiated via WP-CLI without the site admin being logged in, the user will encounter a blank screen.