Skip to:
Content

bbPress.org

Opened 3 weeks ago

Closed 2 weeks ago

#3633 closed defect (bug) (invalid)

Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php

Reported by: kimjiwoon's profile kimjiwoon Owned by:
Milestone: Priority: low
Severity: normal Version:
Component: Site - bbPress.org Keywords:
Cc:

Description

Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php

Author: Jiwoon Kim (Meta Translation Editor, Korean Locale)
Date Reported: April 21, 2025
Priority: Low (Not a security issue)
Scope: Various Rosetta sites and related WordPress.org sub-sites

I am a Meta Translation Editor (PTE) for the Korean WordPress team. With PTE permissions, I can access the backend at https://ko.wordpress.org/wp-admin/. However, I discovered several cases where /wp-admin/about.php is accessible even without proper permissions. While this does not seem to be a security issue, I am reporting it here for documentation and potential review.

---

### Korean Rosetta Site (/team/, /support/)

Since https://ko.wordpress.org/wp-admin/index.php is accessible, it's understandable that
https://ko.wordpress.org/wp-admin/about.php is also accessible.

  • Accessing https://ko.wordpress.org/team/wp-admin/about.php redirects to the user profile at https://profiles.wordpress.org/kimjiwoon/.
  • Attempting to access https://ko.wordpress.org/support/wp-admin/ shows the error:

    "You tried to access the 'Korean Support' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'Korean Support' dashboard, please contact the network administrator."

However, https://ko.wordpress.org/support/wp-admin/about.php is accessible without permissions.

---

### Japanese Rosetta Site

  • Accessing https://ja.wordpress.org/wp-admin/about.php redirects to https://profiles.wordpress.org/kimjiwoon/.
  • https://ja.wordpress.org/support/wp-admin/about.php is accessible without permissions.

---

### WordPress.org Forums

  • Accessing https://wordpress.org/support/wp-admin/ returns the following error:

    "You tried to access the 'WordPress.org Forums' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'WordPress.org Forums' dashboard, please contact the network administrator."

However, https://wordpress.org/support/wp-admin/about.php is accessible.

---

### bbPress.org

  • https://bbpress.org/wp-admin/ shows:

    "Sorry, you are not allowed to access this page."

However, https://bbpress.org/wp-admin/about.php is accessible (displayed in English even if the site language is Korean).

---

### BuddyPress.org

  • Accessing https://buddypress.org/wp-admin/about.php redirects to the site front page https://buddypress.org/.

---

### GPT Analysis

about.php is a core admin file in WordPress, typically gated behind login and capability checks like wp-admin/index.php. On multisite installations, if sub-sites are not fully configured or capability checks are not enforced for specific files, access to /about.php may be inadvertently allowed.

The about.php file primarily contains read-only release notes and update information (e.g. “What’s New”), and is intended to be informational rather than administrative — hence, it's likely that explicit access restrictions were not enforced on purpose.

Some sub-sites, even within a multisite environment, do not redirect properly or display profile pages instead of denying access.

---

🧩 What does this suggest?
There appears to be a consistent pattern where the about.php file is accessible *only* on sites based on bbPress, which is not expected behavior.

In a typical WordPress Multisite setup, accessing wp-admin/about.php on a subsite should be restricted by user capabilities. However, bbPress may be bypassing or missing this permission check.

The fact that about.php is also accessible on bbPress.org itself suggests a possible omission or inconsistency in how bbPress handles admin templates or hooks.

---

🛠 Likely Cause Candidates
The about.php file is a static PHP file located directly under the /wp-admin/ directory in WordPress Core. It doesn't include its own capability check internally.

Normally, access restrictions are handled globally via admin.php or admin_init hooks in WordPress. But in bbPress, these checks might be missing for specific files like about.php, or filters may be malfunctioning before the file is loaded.

Alternatively, it’s possible that about.php was intentionally left open as a "read-only public info page." Even so, the fact that only bbPress-related sites allow access while others block it raises concerns about inconsistency in permission enforcement.

---

### Security Considerations

This is not a security vulnerability. The about.php file does not allow administrative actions or access to sensitive data — it only displays release information.

However, unauthenticated access to /wp-admin/ paths, even for read-only pages, could cause UX confusion or indicate a lack of consistent policy enforcement across the network. If unintended, this behavior might be worth reviewing and improving.

---

### Additional Observation: Version Display Inconsistency

At the bottom of /wp-admin/ pages, the WordPress version string sometimes changes between reloads:

Example:

  • Initially: Version 6.9-alpha-60170
  • After refresh: Version 6.9-alpha-60172

This could be due to version metadata being served from different build caches or CDN nodes, especially within a Trunk development environment. When servers or caches are not fully synchronized, minor inconsistencies in version strings can occur.

---

### WordPress.com / Dashboard Access Examples

  • https://wordpress.com/wp-admin/my-sites.php: Access denied.
  • https://wordpress.com/wp-admin/about.php: 403 Forbidden.
  • https://wordpress.com/wp-admin/index.php: Redirects to https://wordpress.com/sites.

---

### dashboard.wordpress.com

  • https://dashboard.wordpress.com/wp-admin/: Accessible.
  • https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs: Accessible.
  • https://dashboard.wordpress.com/wp-admin/about.php: 403 Forbidden with message:

"Lost? Our server sentries tell us you probably shouldn’t be here. Maybe you’re lost?
If you’re sure this is the place you’re trying to go, please contact us and we’ll be happy to help."

---

### Jetpack-Related Subdomains

  • https://jetpackme.wordpress.com/wp-admin/: Inaccessible.
  • https://koreanjetpack.wordpress.com/wp-admin/: Inaccessible.

*User kimjiwoon96 Cannot Access the Dashboard Requested*
"You are logged in as 'kimjiwoon96' and do not have the necessary privileges to access the dashboard for 'Jetpack — Essential Security & Performance for WordPress'. If you are not 'kimjiwoon96', please log out, and log back in with your username. If you are 'kimjiwoon96' and you need access, please ask an administrator of the site to invite you."

Change History (1)

#1 @dd32
2 weeks ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.