[ad_1]
Hi,
I am having an issue with my site, which has been running properly for a few years now, but I don’t know exactly when the issues started because of automatic upgrades/updates. I just stumbled across this issue today after checking the automatic update email I received.
If I access my site through “xxxxx/wp-admin/users.php” or other wp-admin PHP files, it is possible to access them and some information is leaked, even though I am not logged in. E.g. my user accounts are shown, all the posts or plugins can be accessed and I have no idea why anymore and I am stuck after a few hours of debugging.
E.g. it looks like this when accessing the page:
I am really not sure why the checks for admin authorization don’t work and it loads the rest of the page nevertheless. I even tried to put a die() or exit() call in users.php just for testing, it even ignores that and still loads the content?!
I have tried various browsers, different computers, checked the sessions, logged everyone out within the admin interface. Made sure that the PHP files are the same as in latest.zip (6.1.1), a diff shows no changed files (so I guess no backdoors, but who knows), except wp-content is different of course.
So I disabled all the plugins, renamed them, still wp-admin/* loads parts of the admin interface without being logged in.
Before I had the WP All-in-one Security plugin installed as well and used the feature to rename the wp-admin page to something else. Which worked fine so far, but this was the one plugin I thought could be the culprit. First I disabled the setting, then the whole plugin, nothing helped.
For obvious reasons I have now completely shut down the site, but I am not sure what else I could try 🙁 any hints?
Installed plugins:
akismet disable-comments dsgvo-youtube foogallery nextgen-gallery real-cookie-banner tablepress wpforms-lite all-in-one-wp-migration disable-wp-rest-api foobox-image-lightbox local-google-fonts noindex-pages regenerate-thumbnails updraftplus wp-statistics
Theme: oria
WordPress version: latest 6.1.1
PHP: 8.0, also tried 8.1