after logout session not destroy from server/website side

I am conducting a penetration test on a WordPress site and I can observe the same issue. This is typically a low risk vulnerability.

If a user uses a public computer such as in a library, the next user might still be able to somehow retrieve the original cookie before logout and use that to get access to your account.

OWASP explains the problem in their security testing guide

EDIT: So in my case the website did not use the native WordPress logout but some plugin logout for an e-commerce website. I believe the issue lies in the plugin.

When using /wp-login.php?action=logout, all necessary WordPress cookies get cleared. But this might overlook some logout for some plugins.

So to answer the question above, check the logout link used. Is it not wp-login.php?action=logout, then this is not the native WordPress logout and you need to investigate why the website uses another logout function (probably part of a plugin).

Testing for Server-Side Session Termination

Related Posts:

  1. Find out what is using PHP sessions in WordPress
  2. SESSION in WordPress Plugin Development
  3. Woocommerce cart is a non-object inside `admin_post` action [closed]
  4. WooCommerce: Change default country on the cart page [closed]
  5. WordPress Keeps Logging Out – What Tests Can I Run to Solve This?
  6. User Session and Stored Cookies not get removed
  7. Session destroyed on page redirect
  8. Turning on output buffering in a wordpress plugin
  9. WooCommerce – set session with new cart item meta when updating cart item quantity [closed]
  10. How do I add $_SESSION[”] to my wordpress page?
  11. how do i change my website facebook login button to another text immediately user login? [closed]
  12. Codeless random token generation to pass into multiple tracking links in a single page load
  13. Strange admin-ajax / CSS / $_SESSION issue
  14. Plugin or ways to limit number of users logging in the website,
  15. Using sessions or an alternative in a plugin
  16. Can’t redirect to previous page after using GET
  17. Session alternative for plugins (due to caching)
  18. Using a Cron Job to dynamically populate a field ONCE, and then making the field blank the next time someone visits page
  19. PHP $_session is not work in wordpress
  20. Add section (add_settings_section) to a custom page (add_submenu_page)
  21. How to override shortcodes.php core file?
  22. Aggregate Summaries of Posts of Different Blogs in Multisite Instance
  23. How does WooCommerce display a custom comment_type in Comment Admin?
  24. WordPress PHP plugin – Settings page error
  25. How to fork a plugin to avoid updates after modifications?
  26. How to display public user profile with 2 additional fields? (GitHub source code included)
  27. echo do_shortcode is not working on theme’s template
  28. Can you limit the memory usage of a particular plugin?
  29. Scope for PHP Variables Assigned in functions.php or a plugin
  30. How to remove addthis from my default template
  31. JS Support Ticket – Auto create WP account
  32. How do I display only the latest post on my home page, while maintaining proper plugin hooks?
  33. How to remove plug in styles for WPForms Lite [closed]
  34. Passing an array from shortcode-function to filter-function
  35. Plugin update failed – ‘Installation failed: 504 Gateway Time-out 504 Gateway Time-out nginx/1.15.8’ error message
  36. WP_Async_Task doesn’t appear to be running asynchronously
  37. Add custom text color WordPress 3.9 TinyMCE 4 Visual editor
  38. ACF: post query, hide duplicate values [closed]
  39. WordPress Jquery UI Spinner
  40. How to customize a plugin?
  41. When taxes are country specific they don’t show in the cart totals
  42. How to replace website?
  43. changes to header.php not appearing
  44. Proper way to use plugin functions in functions.php
  45. How do I make reusable content blocks for header and footer when using WordPress headless with another front-end?
  46. Remove Pagination for Product Category Pages WooCommerce
  47. Is there a plugin or a way in the wordpress that would let us have different versions of a post or page accessibe to users?
  48. Adding a simple Javascript file with a plugin
  49. Get post content from outside the loop with plugin shortcode usability
  50. Adding option values as an array using a multi selectable select box
  51. How to set the default value as the saved value once a form of widget is saved?
  52. Example for use tinymce in wordpress 3.5.1?
  53. Dynamic Image Replacement through call rail phone call tracking plugins in wordpress
  54. Advanced custom fields and Slideshow gallery desn’t work together? [closed]
  55. How could I fix the lowercase problem in nextgen gallery? [closed]
  56. Need to edit author permissions | custom taxonomy
  57. Custom Logo Link WordPress
  58. Where do I put the code snippets I found here or somewhere else on the web?
  59. WP Import All Multiple Dynamic Link Imports
  60. admin_notices show after load completed
  61. Error in Fetching Custom Post Type parent Category URL (slug)
  62. is there a way to display product gallery images via cdn
  63. Changing the Default New User Notification Email
  64. WP Fastest Cache -> Render Blocking Js -> Exclude Js Sources
  65. function post to trash problem
  66. Content disappears when searching with Search & Filter plugin
  67. Fatal error: Class ‘RDTheme’ not found
  68. How to fix shifting header after installing speed / cache plugins?
  69. PHP message: WordPress database error Deadlock found when trying to get lock
  70. Field salespeople task management
  71. Can’t manage plugins anymore
  72. Creating Admin Submenu Page via Class Method
  73. plugins break after moving wp-content folder
  74. How to populate a Mailchimp newsletter with latest events from WordPress plugin EventOn?
  75. How to get author developer link on plugin page
  76. wp_schedule_event need to deactivate plugin changing recurrance
  77. How do plugin updates work?
  78. Show all posts of all categories but excluding a category on custom blog page with pagination of my theme
  79. ajax request not returning the result
  80. adding image in the header of my dev widget
  81. passing ‘&’ in return function of add_filter
  82. Is there going to an issue running different features of WP site in different subdomains?
  83. Is there a plugin that will override the “Error establishing a database connection” message? [closed]
  84. List all subpages hierarchically based on the currently viewed page, top ancestor levels included
  85. Shortcodes can only be used in Pages, not Posts
  86. Plugin with custom domain
  87. Create New Admin Menu Section – Like how custom post type works, in a way
  88. Combining JS files to one script
  89. How to clean up unnecessary file inside wp-content/plugins/wordpress-seo?
  90. woocommerce retriving category name as div class?
  91. Duplicating wordpress install issue
  92. Woocommerce add product variations block to my custom template
  93. Ajax button “Load more” is not loading correct language version posts for logged out users
  94. WordPress REST API Visual Composer Shortcodes
  95. Unable to pass arguments from plugin form to filter hook using ajax, the data is transferring via ajax but unable to pass as arguments in filter hooks
  96. Why am I getting an error when requiring a file in my plugin?
  97. Redirect OLD/Path to NEWURL/Path
  98. How can I use the zip of my plugin in another website?
  99. Executing ACF field as a shortcode
  100. Create custom Header and Footer for a page that uses diffrent theme then the rest of the website