[wp-trac] [WordPress Trac] #45334: User with admin capabilities created via POST?
    WordPress Trac 
    noreply at wordpress.org
       
    Mon Nov 12 23:01:29 UTC 2018
    
    
  
#45334: User with admin capabilities created via POST?
---------------------------------+-----------------------------
 Reporter:  miloszryckobozenski  |      Owner:  (none)
     Type:  defect (bug)         |     Status:  new
 Priority:  normal               |  Milestone:  Awaiting Review
Component:  General              |    Version:  4.9.8
 Severity:  critical             |   Keywords:
  Focuses:                       |
---------------------------------+-----------------------------
 Wordpress 4.9.8.
 WPScan shows two issues:
 [!] Detected 2 users from RSS feed:
 [!] Full Path Disclosure (FPD) in 'https://embraceyourlife.pl/wp-includes
 /rss-functions.php': /home/hl2404/domains/embraceyourlife.pl/public_html
 /wp-includes/rss-functions.php
 Plugins, themes, core in newest versions.
 Nothing more.
 I got e-mail with notification that user with admin caps was created.
 In logs I found only:
 174.142.75.169 - - [12/Nov/2018:23:12:08 +0100] "POST /wp-
 login.php?action=register HTTP/1.1" 302 4351 "-" "python-requests/2.18.1"
 174.142.75.169 - - [12/Nov/2018:23:12:13 +0100] "GET /wp-
 login.php?checkemail=registered HTTP/1.1" 200 2789 "-" "python-
 requests/2.18.1"
-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45334>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
    
    
More information about the wp-trac
mailing list