[wp-trac] [WordPress Trac] #61003: Direct access to .php files in /wp-includes is not protected out of the box
WordPress Trac
noreply at wordpress.org
Fri Apr 12 18:15:36 UTC 2024
#61003: Direct access to .php files in /wp-includes is not protected out of the box
--------------------------+-----------------------------
Reporter: teo8976 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.5
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
I can't believe I'm stumbling upon this in 2024.
To reproduce:
- fresh install of WordPress
- go to https://yourdomain.com/wp-includes/rss.php
Expected:
should give a "403 Forbidden" response
Observed:
actually executes /wp-includes/rss.php which results in an internal server
error because of a call to an undefined function. The issue is not the
error itself, it's the fact that a php file inside /wp-includes can be
directly executed in the first place.
I know there are plugins that fix this and that I can fix it by creating
an .htaccess file, but this should be secure and clean out of the box.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61003>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list