Opened 3 weeks ago
Closed 2 weeks ago
#3633 closed defect (bug) (invalid)
Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | normal | Version: | |
Component: | Site - bbPress.org | Keywords: | |
Cc: |
Description ¶
Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php
Author: Jiwoon Kim (Meta Translation Editor, Korean Locale)
Date Reported: April 21, 2025
Priority: Low (Not a security issue)
Scope: Various Rosetta sites and related WordPress.org sub-sites
I am a Meta Translation Editor (PTE) for the Korean WordPress team. With PTE permissions, I can access the backend at https://ko.wordpress.org/wp-admin/
. However, I discovered several cases where /wp-admin/about.php
is accessible even without proper permissions. While this does not seem to be a security issue, I am reporting it here for documentation and potential review.
---
### Korean Rosetta Site (/team/
, /support/
)
Since https://ko.wordpress.org/wp-admin/index.php
is accessible, it's understandable that
https://ko.wordpress.org/wp-admin/about.php
is also accessible.
- Accessing
https://ko.wordpress.org/team/wp-admin/about.php
redirects to the user profile athttps://profiles.wordpress.org/kimjiwoon/
.
- Attempting to access
https://ko.wordpress.org/support/wp-admin/
shows the error:"You tried to access the 'Korean Support' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'Korean Support' dashboard, please contact the network administrator."
However,
https://ko.wordpress.org/support/wp-admin/about.php
is accessible without permissions.
---
### Japanese Rosetta Site
- Accessing
https://ja.wordpress.org/wp-admin/about.php
redirects tohttps://profiles.wordpress.org/kimjiwoon/
.
https://ja.wordpress.org/support/wp-admin/about.php
is accessible without permissions.
---
### WordPress.org Forums
- Accessing
https://wordpress.org/support/wp-admin/
returns the following error:"You tried to access the 'WordPress.org Forums' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'WordPress.org Forums' dashboard, please contact the network administrator."
However,
https://wordpress.org/support/wp-admin/about.php
is accessible.
---
### bbPress.org
https://bbpress.org/wp-admin/
shows:"Sorry, you are not allowed to access this page."
However,
https://bbpress.org/wp-admin/about.php
is accessible (displayed in English even if the site language is Korean).
---
### BuddyPress.org
- Accessing
https://buddypress.org/wp-admin/about.php
redirects to the site front pagehttps://buddypress.org/
.
---
### GPT Analysis
about.php
is a core admin file in WordPress, typically gated behind login and capability checks like wp-admin/index.php
. On multisite installations, if sub-sites are not fully configured or capability checks are not enforced for specific files, access to /about.php
may be inadvertently allowed.
The about.php
file primarily contains read-only release notes and update information (e.g. “What’s New”), and is intended to be informational rather than administrative — hence, it's likely that explicit access restrictions were not enforced on purpose.
Some sub-sites, even within a multisite environment, do not redirect properly or display profile pages instead of denying access.
---
🧩 What does this suggest?
There appears to be a consistent pattern where the about.php
file is accessible *only* on sites based on bbPress, which is not expected behavior.
In a typical WordPress Multisite setup, accessing wp-admin/about.php
on a subsite should be restricted by user capabilities. However, bbPress may be bypassing or missing this permission check.
The fact that about.php
is also accessible on bbPress.org itself suggests a possible omission or inconsistency in how bbPress handles admin templates or hooks.
---
🛠 Likely Cause Candidates
The about.php
file is a static PHP file located directly under the /wp-admin/
directory in WordPress Core. It doesn't include its own capability check internally.
Normally, access restrictions are handled globally via admin.php
or admin_init
hooks in WordPress. But in bbPress, these checks might be missing for specific files like about.php
, or filters may be malfunctioning before the file is loaded.
Alternatively, it’s possible that about.php
was intentionally left open as a "read-only public info page." Even so, the fact that only bbPress-related sites allow access while others block it raises concerns about inconsistency in permission enforcement.
---
### Security Considerations
This is not a security vulnerability. The about.php
file does not allow administrative actions or access to sensitive data — it only displays release information.
However, unauthenticated access to /wp-admin/
paths, even for read-only pages, could cause UX confusion or indicate a lack of consistent policy enforcement across the network. If unintended, this behavior might be worth reviewing and improving.
---
### Additional Observation: Version Display Inconsistency
At the bottom of /wp-admin/
pages, the WordPress version string sometimes changes between reloads:
Example:
- Initially:
Version 6.9-alpha-60170
- After refresh:
Version 6.9-alpha-60172
This could be due to version metadata being served from different build caches or CDN nodes, especially within a Trunk development environment. When servers or caches are not fully synchronized, minor inconsistencies in version strings can occur.
---
### WordPress.com / Dashboard Access Examples
https://wordpress.com/wp-admin/my-sites.php
: Access denied.https://wordpress.com/wp-admin/about.php
: 403 Forbidden.https://wordpress.com/wp-admin/index.php
: Redirects tohttps://wordpress.com/sites
.
---
### dashboard.wordpress.com
https://dashboard.wordpress.com/wp-admin/
: Accessible.https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs
: Accessible.https://dashboard.wordpress.com/wp-admin/about.php
: 403 Forbidden with message:
"Lost? Our server sentries tell us you probably shouldn’t be here. Maybe you’re lost?
If you’re sure this is the place you’re trying to go, please contact us and we’ll be happy to help."
---
### Jetpack-Related Subdomains
https://jetpackme.wordpress.com/wp-admin/
: Inaccessible.https://koreanjetpack.wordpress.com/wp-admin/
: Inaccessible.
*User kimjiwoon96 Cannot Access the Dashboard Requested*
"You are logged in as 'kimjiwoon96' and do not have the necessary privileges to access the dashboard for 'Jetpack — Essential Security & Performance for WordPress'. If you are not 'kimjiwoon96', please log out, and log back in with your username. If you are 'kimjiwoon96' and you need access, please ask an administrator of the site to invite you."
Marking as duplicate of https://meta.trac.wordpress.org/ticket/7960