Security Issue – Plugin redirecting visitors to wp-login.php for Admins

  • Resolved romonoutic

    (@romonoutic)


    3 years, 2 months ago

    Hello
    Thanks for this plugin, but I have a problem that I’ll explain steps by steps for better understanding what I’m talking about:

    1- I go to “add new page” I put some title and then I add the following shortcode: [user-submitted-posts]

    2- I open the page created with the shortcode from another browser on private windows to see the page as an ordinary user (visitor) and I find the text and link: “Please log in to submit content!”

    3- This link redirect users to the wp-login.php or wp-admin dashboard instead to redirecting users to /my-account page from woocommerce or a custom /login page created by others plugins.

    I hope you understand that this is a serious lack of security and worst than that is that even installing plugins that hides (changing the name of) wp-login.php from hackers, the link generated from your plugin will redirect visitors to this hidden link. This shouldn’t be possible.

    I tested in my website and even in a fresh new wordpress site and the problem was exactly the same. My suggestion is that you should add a field on your plugin settings page where admins can choose where they want to redirect they visitors when clicking that link, because most administrator generates their own login pages for visitors.

    I’ll really appreciate your help with this issue!
    Thanks for your time,

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Glad to help. Thanks for explaining very well. For this:

    “I hope you understand that this is a serious lack of security”

    No it’s not, because on default WP install, the Login page is public. So if you consider a public login page a security issue, then millions of WP sites are affected, not just those running USP.

    Also this:

    “My suggestion is that you should add a field on your plugin settings page where admins can choose where they want to redirect they visitors when clicking that link, because most administrator generates their own login pages for visitors.”

    Thank you, I will look into adding such an option. In the meantime, it is possible to change the URL using a code snippet. You can get the code here if interested.

    I hope this helps, let me know if I can provide any further infos.

    Thread Starter romonoutic

    (@romonoutic)

    Thanks a lot for your reply,
    Please find below my review to your great support:

    https://www.ads-software.com/support/topic/very-good-support-service-3/

    Happy holidays,
    Regards,

    Plugin Author Jeff Starr

    (@specialk)

    Thank you, @romonoutic – it is very much appreciated.

    Likewise Happy Holidays

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security Issue – Plugin redirecting visitors to wp-login.php for Admins’ is closed to new replies.