[wp-trac] [WordPress Trac] #27331: WordPress Login Page Security Issue

WordPress Trac noreply at wordpress.org
Sun Mar 9 10:04:34 UTC 2014


#27331: WordPress Login Page Security Issue
----------------------------+-----------------------------
 Reporter:  hardeepasrani   |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Security        |    Version:
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 I don't know whether it's a bug or there's a reason behind this, but I
 found it a security issue.

 == The Issue ==

 If you're logged into your self-hosted WordPress website as an admin or
 any role, you will still see the login page & you can login again to any
 account.

 I think if a user is already logged in then he should be redirected back
 to the admin panel (or any other page), but the login page.

 == Why it's an issue ==

 Just suppose a user is using his WP site (as admin) on a public computer,
 then he somehow gets to login page (by clicking on the link) & sees that
 he is already logged out (even when he's logged in) because he can see the
 login page. So, now he thinks that he's been logged out, but he is still
 logged in.

 So, I think a logged in user should either redirected back to admin panel
 or he has to fill the login details again to sign in.

 What's your thoughts?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27331>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list