I just discovered that the plugin directory is accesible by anyone if they just browse to the right PHP file. For instance, if you have akismet, you can get to via: example.com/wp-content/plugins/akismet/akismet.php.
Granted the script won’t run, but what about scripts that do not rely on plugin hooks?
Is there something in WordPress that can be changed, or is it up to plugin authors to ensure that direct access of the plugin files is safe.
- The topic ‘Possible security flaw: plugin directory publicly available’ is closed to new replies.