WordPress: UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure

2017-10-25T16:55:02
ID H1:282843
Type hackerone
Reporter hackerwahab
Modified 2018-02-05T14:47:55

Description

Hello,

While testing Your Security I Observed that the Security Report Reported to You After Validation arranged for fix or you can say that a public repository created for the code powering the site at https://code.trac.wordpress.org/changeset/[ID] that Leaks Following Things

1.UnResolved Bugs 2.PHP Code of Website

Impact

Let an Attacker Dont Know The Vulnerabilities in Your System he can search for different id's like 469,470,471 Like this:- https://code.trac.wordpress.org/changeset/469 https://code.trac.wordpress.org/changeset/470 https://code.trac.wordpress.org/changeset/471

Which is Disclosing PHP Code and Unresolved Security Bugs To Public An Attacker can see Unresolved Vulnerabilities From Here can Use it to destroy Your Services.

Thanks, Abdulwahab Khan, Independent Cyber Security Researcher.