Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#61513 new defect (bug)

Attention points in Pentest

Reported by: raphaelsramos's profile raphaelsramos Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Team WP, good evening.

The security team of one of the projects I work on asked me to make some adjustments to increase the security level, and this led me to edit some WordPress Core files. I would like to see the possibility of including them in the Core permanently, focusing on increasing community security.

  1. Direct access to some files inside /wp-admin folder can lead to exposure of sensible data:
    • /wp-admin/admin-functions.php
    • /wp-admin/admin-header.php
    • /wp-admin/custom-background.php
    • /wp-admin/custom-header.php

For adjust i've just add this code on top of file:

Don't load directly.
if ( ! defined( 'ABSPATH' ) ) {

die( '-1' );

}

  1. Direct access to /wp-admin/upgrade.php can exposure a WP installation. To fix it i've add this code to /wp-admin/upgrade.php after the require of the wp-load.ph file

if( !is_user_logged_in() ){

die( '-1' );

}

If possible, I would like to check the impact of the proposed adjustments and, if they are within the standards, that they are added to the WP core.

Change History (1)

#1 @deepakrohilla
4 weeks ago

HI @raphaelsramos
point 1 already covered in #61314
point 2 : WordPress includes security measures to protect sensitive operations like upgrades.
These typically include nonce checks (to prevent cross-site request forgery) and capability checks,
While accessing upgrade.php directly is not a security risk in itself,
it's always important to keep your WordPress installation updated to the latest version to mitigate potential security vulnerabilities.

WordPress can also be upgraded using the Command Line Interface (CLI) without needing to be logged into the admin dashboard for that case,
If the following line of code is added to upgrade.php, and the user is not logged in, they will be redirected to wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2F, and the screen will remain blank

<?php
if( !is_user_logged_in() ){
        die(-1);
}

so for that who install wordpress after loggedin that will work but ff WordPress upgrade process is initiated via WP-CLI without the site admin being logged in, the user will encounter a blank screen.

Note: See TracTickets for help on using tickets.