Opened 11 months ago
Closed 10 months ago
#3633 closed defect (bug) (invalid)
Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | low | |
| Severity: | normal | Version: | |
| Component: | Site - bbPress.org | Keywords: | |
| Cc: |
Description
Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php
Author: Jiwoon Kim (Meta Translation Editor, Korean Locale)
Date Reported: April 21, 2025
Priority: Low (Not a security issue)
Scope: Various Rosetta sites and related WordPress.org sub-sites
I am a Meta Translation Editor (PTE) for the Korean WordPress team. With PTE permissions, I can access the backend at https://ko.wordpress.org/wp-admin/. However, I discovered several cases where /wp-admin/about.php is accessible even without proper permissions. While this does not seem to be a security issue, I am reporting it here for documentation and potential review.
---
### Korean Rosetta Site (/team/, /support/)
Since https://ko.wordpress.org/wp-admin/index.php is accessible, it's understandable that
https://ko.wordpress.org/wp-admin/about.php is also accessible.
- Accessing
https://ko.wordpress.org/team/wp-admin/about.phpredirects to the user profile athttps://profiles.wordpress.org/kimjiwoon/.
- Attempting to access
https://ko.wordpress.org/support/wp-admin/shows the error:"You tried to access the 'Korean Support' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'Korean Support' dashboard, please contact the network administrator."
However,
https://ko.wordpress.org/support/wp-admin/about.phpis accessible without permissions.
---
### Japanese Rosetta Site
- Accessing
https://ja.wordpress.org/wp-admin/about.phpredirects tohttps://profiles.wordpress.org/kimjiwoon/.
https://ja.wordpress.org/support/wp-admin/about.phpis accessible without permissions.
---
### WordPress.org Forums
- Accessing
https://wordpress.org/support/wp-admin/returns the following error:"You tried to access the 'WordPress.org Forums' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'WordPress.org Forums' dashboard, please contact the network administrator."
However,
https://wordpress.org/support/wp-admin/about.phpis accessible.
---
### bbPress.org
https://bbpress.org/wp-admin/shows:"Sorry, you are not allowed to access this page."
However,
https://bbpress.org/wp-admin/about.phpis accessible (displayed in English even if the site language is Korean).
---
### BuddyPress.org
- Accessing
https://buddypress.org/wp-admin/about.phpredirects to the site front pagehttps://buddypress.org/.
---
### GPT Analysis
about.php is a core admin file in WordPress, typically gated behind login and capability checks like wp-admin/index.php. On multisite installations, if sub-sites are not fully configured or capability checks are not enforced for specific files, access to /about.php may be inadvertently allowed.
The about.php file primarily contains read-only release notes and update information (e.g. “What’s New”), and is intended to be informational rather than administrative — hence, it's likely that explicit access restrictions were not enforced on purpose.
Some sub-sites, even within a multisite environment, do not redirect properly or display profile pages instead of denying access.
---
🧩 What does this suggest?
There appears to be a consistent pattern where the about.php file is accessible *only* on sites based on bbPress, which is not expected behavior.
In a typical WordPress Multisite setup, accessing wp-admin/about.php on a subsite should be restricted by user capabilities. However, bbPress may be bypassing or missing this permission check.
The fact that about.php is also accessible on bbPress.org itself suggests a possible omission or inconsistency in how bbPress handles admin templates or hooks.
---
🛠 Likely Cause Candidates
The about.php file is a static PHP file located directly under the /wp-admin/ directory in WordPress Core. It doesn't include its own capability check internally.
Normally, access restrictions are handled globally via admin.php or admin_init hooks in WordPress. But in bbPress, these checks might be missing for specific files like about.php, or filters may be malfunctioning before the file is loaded.
Alternatively, it’s possible that about.php was intentionally left open as a "read-only public info page." Even so, the fact that only bbPress-related sites allow access while others block it raises concerns about inconsistency in permission enforcement.
---
### Security Considerations
This is not a security vulnerability. The about.php file does not allow administrative actions or access to sensitive data — it only displays release information.
However, unauthenticated access to /wp-admin/ paths, even for read-only pages, could cause UX confusion or indicate a lack of consistent policy enforcement across the network. If unintended, this behavior might be worth reviewing and improving.
---
### Additional Observation: Version Display Inconsistency
At the bottom of /wp-admin/ pages, the WordPress version string sometimes changes between reloads:
Example:
- Initially:
Version 6.9-alpha-60170 - After refresh:
Version 6.9-alpha-60172
This could be due to version metadata being served from different build caches or CDN nodes, especially within a Trunk development environment. When servers or caches are not fully synchronized, minor inconsistencies in version strings can occur.
---
### WordPress.com / Dashboard Access Examples
https://wordpress.com/wp-admin/my-sites.php: Access denied.https://wordpress.com/wp-admin/about.php: 403 Forbidden.https://wordpress.com/wp-admin/index.php: Redirects tohttps://wordpress.com/sites.
---
### dashboard.wordpress.com
https://dashboard.wordpress.com/wp-admin/: Accessible.https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs: Accessible.https://dashboard.wordpress.com/wp-admin/about.php: 403 Forbidden with message:
"Lost? Our server sentries tell us you probably shouldn’t be here. Maybe you’re lost?
If you’re sure this is the place you’re trying to go, please contact us and we’ll be happy to help."
---
### Jetpack-Related Subdomains
https://jetpackme.wordpress.com/wp-admin/: Inaccessible.https://koreanjetpack.wordpress.com/wp-admin/: Inaccessible.
*User kimjiwoon96 Cannot Access the Dashboard Requested*
"You are logged in as 'kimjiwoon96' and do not have the necessary privileges to access the dashboard for 'Jetpack — Essential Security & Performance for WordPress'. If you are not 'kimjiwoon96', please log out, and log back in with your username. If you are 'kimjiwoon96' and you need access, please ask an administrator of the site to invite you."
Marking as duplicate of https://meta.trac.wordpress.org/ticket/7960