[wp-trac] [WordPress Trac] #59109: Massive security flaw, please see sense.
WordPress Trac
noreply at wordpress.org
Tue Aug 15 13:32:51 UTC 2023
#59109: Massive security flaw, please see sense.
--------------------------+-------------------------------
Reporter: tspnet | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 6.3
Severity: critical | Keywords: reporter-feedback
Focuses: |
--------------------------+-------------------------------
Honestly someone needs to see the sense in this. I'm pretty confident if
you petitioned the worldwide wordpress community everyone would want this
fixed regardless of it being self hosted or wordpress.com this is a flaw
in the current wordpress.
I have given you the email to describe the issue it explains fully. This
flaw needs to be fixed.
(13:14:10) James: Regardless of whether it's open source or not WordPress
needs to be secure
(13:14:23) James: People. Business, even enterprise use your product
(13:14:59) James: There must be a way for WordPress to prevent any plugin
from creating a admin account surely?
(13:15:21) James: And only allow WordPress admin to do it
(13:15:46) James: That would eliminate the flaw
(13:15:54) James: And actually make it secure
(13:16:57) James: I don't get how all these minds working on wordpress
don't get this is important
(13:17:55) Happiness Engineer: Part of the open source spirit is that
everything is open and available to change for everybody.
After downloading the software you can do with it whatever you want, this
is what's also appealing for a lot of developers and users.
(13:18:19) James: What you basically telling me is this flaw is OK because
wordpress is open source? It's not OK?
(13:18:28) Happiness Engineer: Suggestions to improve the software can be
made using a tool called Trac
https://core.trac.wordpress.org/
(13:19:46) James: Can you send this email to me please
(13:19:54) James: I will post this message there
(13:20:13) Happiness Engineer: You will receive a transcript of this
conversation after we close i.
(13:20:25) James: OK thanks let's close it
(13:23:41) Happiness Engineer: Ok, no problem.
Feel free to pop back in if there is anything else we can help you with.
Conclusion...
Honestly think of this from a critical point of view, this is a Flaw, that
should be able to be fixed so that Plugins cannot make admin accounts and
only Admin can make admin accounts.
I'm not a coder, and I do not have the foggiest how this would be done,
but I hope it can be done, because if you surveyed everyone who uses
wordpress I think everyone would feel safer with this implemented.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59109>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list