Capability check required?

  • farnely

    (@farnely)


    4 years ago

    I noticed a request in my server logs for /wp-admin/upgrade.php from an unknown, logged out user. Out of curiosity, I visited the URL myself (as a guest) and to my surprise, I was greeted with a message saying my wordpress database is already up to date. I’m running the latest version of WP.

    Should there not be a capability check somewhere to ensure this request can only be performed by an administrator?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Joy

    (@joyously)

    WordPress only runs when there is site traffic or logins. The schedule for checking for updates happens only when WordPress runs. The configuration determines whether minor or major updates should be automatic. If you want automatic minor updates, which is the default so your site gets security updates, they have to run regardless of the user.

    Thread Starter farnely

    (@farnely)

    WP Cron runs on my site at the times set by my CRON task in cPanel (it’s not driven by visitor activity). Automatic updates are disabled.

    My point is that by visiting that URL (either as an actual visitor or using a script), it’s possible to determine whether the database needs upgrading. That might seem innocent enough but it seems to me that it could be used as a means of identifying websites that are not well maintained/kept up to date and therefore a “good” target for other more sinister intentions.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Capability check required?’ is closed to new replies.