Version 1.3.9 is not secure enough

  • Resolved hongamtan

    (@hongamtan)


    7 years, 7 months ago

    Hi I just saw 1.3.9 update for fix bypass vulnerability, then i found that with default setting it still not secure enough
    XML-RPC can be logged in with password, so if attackers known admin password, they can still create a post without XSS filter.
    There would be 2 solutions for this:
    – Force XSS filter for admin (admin should not have unfiltered html capability)
    – Use app passwords like Application Passwords or Wp2sv plugin

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author David Anderson / Team Updraft

    (@davidanderson)

    7 years, 7 months ago

    Hi,

    If you don’t want XML-RPC to be accessible to people who already know an admin password, then set the setting to make it inaccessible. Though, since XML-RPC isn’t really used, it’s much better to just turn XML-RPC entirely off. Using an app password really makes no difference…. it’s still precisely one password to guess.

    Allowing logged-in admin users to post arbitrary content is a design decision in WordPress core. If you disagree with that, then you should report it to the maintainers of WordPress core. It is not something touched either way by this plugin, which only adds an extra layer to login security.

    David

Viewing 1 replies (of 1 total)

The topic ‘Version 1.3.9 is not secure enough’ is closed to new replies.