Security component

If you have encountered a security issuesecurity issue A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have. that isn’t addressed in a released version of WordPress, please report it to the WordPress HackerOne program. For more, see our Security FAQ in the handbook.

Recent posts on the make/coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. blogblog (versus network, site)

View all posts tagged security.

90 open tickets in the Security component

90 open tickets defect (bug) enhancement feature request task (blessed)
Awaiting Review 30 27 8 0
Future Release 6 12 4 1
6.8 0 1 1 0

90 open tickets. Last 7 days: +0 tickets

21 tickets that have no replies

View list on Trac

  • #43215  Allow wp_kses to pass allowed CSSCSS Cascading Style Sheets. properties
  • #51611  Escape echoing Core functions
  • #52333  Lack of the : entity on the list of allowed entity names in kses.php
  • #52388  Use HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org already during installation if supported
  • #53296  Do trim $hook_name within add_action() and add_filter() function
  • #53994  REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. requests with session cookies but an invalidinvalid A resolution on the bug tracker (and generally common in software development, sometimes also notabug) that indicates the ticket is not a bug, is a support request, or is generally invalid./missing nonce are considered authenticated for most of the request rest-api
  • #54280  wp_verify_nonce should return a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
  • #54512  Suggestion for file protection privacy
  • #56785  Automatically catch potential security issues before release
  • #56860  Sodium Compat library is improperly loaded
  • #57424  Specific hook for Content Security Policy
  • #57447  wp_ajax_inline_save function does not check if post has "public" or "show_ui" enabled
  • #58636  Automatic Sanitization of Nonces in wp_verify_nonce coding-standards
  • #58679  metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. key field in usermeta table should NOT use accent insensitive collations
  • #58771  Someone logged onto my WordPress Adminadmin (and super admin) Site, changed the password, and created a User Registration
  • #59355  TypeError: Cannot read properties of undefined (reading 'hasClass') in wp-auth-check.min.js javascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/.
  • #59824  PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher Warning raised in pluggable.php when passing NULL instead of a string administration privacy
  • #60347  wp_kses breaking text fragments links
  • #60994  GithubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ bot detected some high risk security issue in npm packages.
  • #61706  Support for storing and getting encrypted options
  • #62055  Put index.php into Public folder on the root directory

2 tickets slated for 6.8

View list in Trac

  • #43936  Settings: Warn when open registration and new user default is privileged administration
  • #57304  Add SensitiveParameter attribute to DB connection and login variables

90 open tickets

Open enhancements: 40 View list on Trac
Open tasks: 1 View list on Trac
Open feature requests: 13 View list on Trac
Open defects: 36 View list on Trac

Help maintain this component

Component maintainers:

Many contributors help maintain one or more components. These maintainers are vital to keeping WordPress development running as smoothly as possible. They triagetriage The act of evaluating and sorting bug reports, in order to decide priority, severity, and other factors. new tickets, look after existing ones, spearhead or mentor tasks, pitch new ideas, curate roadmaps, and provide feedback to other contributors. Longtime maintainers with a deep understanding of particular areas of Core are always seeking to mentor others to impart their knowledge.

Want to help? Start following this component! Adjust your notifications here. Feel free to dig into any ticketticket Created for both bug reports and feature development on the bug tracker..

Contributors following this component: