/wp-content/feed | ww.wp.xz.cn

staze
(@staze)

11 years, 4 months ago

All,

Just started some penetration testing on my wordpress installs, and noticed wpscan was saying I had the feed plugin installed. I don’t.

So I tried going to http://www.example.com/wp-content/plugins/feed/ and indeed, I get an RSS feed. Hmm. Then I just did /wp-content/feed, and again, I get an RSS feed.

This seems broken. /feed should only work off existing posts, or root, not off wp-content, etc. /wp-admin/feed/ does the same thing.

It’s not a security issue (that I can think of), but it certainly leads to false positives, and seems sloppy. Note, in all cases, the RSS feed is just the header info, but no actual posts in it…

Thoughts? File a bug?

Viewing 4 replies - 1 through 4 (of 4 total)

MarkRH
(@markrh)

11 years, 4 months ago

Is there anything in the feed other than the blog’s description? Anyway, I think it’s just how it handles “feed” when is sees it in the URL.

Mine does the same thing.

In fact if I type in a non existent directory like /zebra/feed/, I’ll get a RSS feed with just blog description.

Thread Starter staze
(@staze)

11 years, 4 months ago

No, there’s no content other than site name, etc. Still seems like it’s being overzealous with it’s permalinks.

Think I should file a bug? it’s obviously not critical, but it does seem like this is not how the system should function.

Thread Starter staze
(@staze)

11 years, 2 months ago

Bug filed https://core.trac.ww.wp.xz.cn/ticket/31916

Steven Word
(@stevenkword)

WPEngine Employee

11 years, 1 month ago

Thanks for the bug report, staze! I’m taking a look at it.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘/wp-content/feed’ is closed to new replies.

Tags

wp-content

In: Fixing WordPress
4 replies
3 participants
Last reply from: Steven Word
Last activity: 11 years, 1 month ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics