Bug In WordPress Encryption Redirects Visitors To WP-Admin

Lately I’ve been struggling with the direction I want to take my website and business in general. What I mean to say is that I want as many people as possible to see and read my security tutorials, but I don’t want to simply just give away all of my advice/research for free. After-all, what is the point of even trying to start or run a business if you simply give away all of your expertise for nothing? At the same time though, I’m not sure how I can gain a foothold or start to compete if people don’t know who I am, or what I am capable of producing. Finding a happy medium between the two still eludes me.

However, my struggles in this area have also led me to accidentally uncover a major security glitch in the way that WordPress password protects (encrypts) individual site pages attached to an account owners domain name. For example, I’ve gone back and forth between encrypting and de-crypting all of my security tutorials for weeks now. Due to theme related issues, I now publish all “Blog Posts” as “Site Pages,” and in order to access them requires password authentication – the codes to which can be obtained via email request (editor@roguesecuritylabs.ltd).

However, what I’ve since discovered is that if you encrypt/password protect a site page and enter the correct credentials as a website visitor, you are re-directed to blank screen attached to the owners wp-admin dashboard – rather than the article/page URL you were trying to read/decrypt. For example, I encrypted my Securing WordPress tutorial and when you type in the correct credentials to access it – W0rd9r3$$31it3 – this is the page that appears….

No automatic alt text available.

^^^ I’ve tested it out, and this happens on both phones and computers, no matter which browser you use. This is not the way that password protection was designed to work, and represents a serious bug/flaw in the design of WordPress‘s site security. For people who do not go through as much trouble to secure their site as I do, this flaw essentially offers a backdoor straight into a WordPress owners wp-admin panel. As of 9/21/2018 the bug has been reported to both WordPress Security and the Hacker One bug bounty initiative, but a patch has not been issued.

Published by

Brian Dunn

Writer, Researcher Owner: Rogue Media Labs | Rogue Security Labs (929)-319-2570 BrianDunn@RogueSecurityLabs.Ltd

Leave a Reply

Your email address will not be published.