Is this a WordPress security bug?

You’re misinterpreting the is_admin() function. It’s not a tag to check whether or not the user is an admin, it’s a template tag to check if you’re on an admin page.

From the Codex:

This Conditional Tag checks if the Dashboard or the administration panel is being displayed. This is a boolean function, meaning it returns either TRUE or FALSE.

You’re facing a couple of issued here though.

  1. If you attempt to go to /wp-admin while you’re not logged in, WordPress will automatically redirect the page. A request to /wp-admin is really a request to /wp-admin/index.php, a page non-logged-in users don’t have permission to see in the first place. So you’ll be redirected to /wp-admin/wp-login.php which doesn’t necessarily load your plugin code.
  2. I say “doesn’t necessarily load your plugin code” because I’m not sure. From the looks of things you’re echo/return exists in the global scope. Really, this code should be wrapped in a function and hooked to a WordPress action.

Now, if you go to the /wp-admin page while you’re logged in, is_admin() will evaluate to true you should be able to see the content of your echo statement just fine, assuming a couple of things:

  1. No errors in your code (as both @amit and @Fraggy have pointed out, you have a typo – an unescaped ' character.
  2. That you’re hooking things in at the right place. You shouldn’t just echo and return in the global scope because, really, there’s no way to control where that echo/return will be happening. You should place this code in a function.

Important Note

If you ever do find a security hole or security-related bug in WordPress, you should report it to [email protected] rather than posting in a public forum like this. This kind of responsible disclosure gives the team the chance to address and patch the issue before malicious hackers can read about it and exploit it.

Related Posts:

  1. what is a auth_user_file.txt?
  2. Is moving wp-config outside the web root really beneficial?
  3. Can I Prevent Enumeration of Usernames?
  4. Best way to eliminate xmlrpc.php?
  5. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  6. Should I remove install.php and install-helper.php?
  7. Are Nonces Useless?
  8. What is the difference between esc_html filter vs attribute_escape filter?
  9. How do I technically prove that WordPress is secure?
  10. Which KSES should be used and when?
  11. How do WordPress Nonces Work?
  12. How can I easily verify a core or plugin update has not broken anything?
  13. Disable comment windows for all existing posts (pages/blogposts)
  14. Generate WordPress salt
  15. Vanilla WordPress install, what can/should I put in disable_functions?
  16. Stop wordpress automatically escaping $_POST data
  17. Secure my “add_settings_field” translation?
  18. how can i embed wordpress backend in iframe
  19. Handling nonces for actions from guests to logged-in users
  20. WordPress Logout Only If User Click Logout or If User Delete Browser History
  21. Can I force a password change?
  22. How brute-forcer knows that the password is cracked for target username?
  23. wp_insert_post disable HTML filter
  24. What is pclzip.lib.php file that wordfence think it’s a malicious code
  25. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  26. How to disable XML-RPC from Linux command-line in a total way?
  27. How to remove javascript malware in wordpress site [closed]
  28. Completely remove the author url
  29. Securing my WordPress Files and Directories
  30. Restricting access to content
  31. About WordPress site security
  32. Single sign-on: wp_authenticate_user vs wp_authenticate
  33. How to allow internal links using wp_kses filtration
  34. How does Cross Site Scripting (XSS) work exactly? [closed]
  35. Relative security of different releases of WordPress
  36. How does the “authentication unique keys and salts” feature work?
  37. vs WordPress Security
  38. esc_html__ security : what for in this example?
  39. Using HTACCESS for Secret Access
  40. wp-config.php being written by attacker
  41. Definitive wordpress directory ownership and permissions on linux
  42. XML-RPC errors they know my username?
  43. Is [admin / admin] acceptable for all local websites?
  44. Simple Online Payment for Event Registration [closed]
  45. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  46. Client side HTTP parameter pollution (reflected)
  47. Local file inclusion critical security issue [closed]
  48. Malware script in database post table only? [closed]
  49. Best practices to assert current_user_can() with guests
  50. wordpress website host price and security [closed]
  51. XMLRPC slow and weird websites/services
  52. Are there security risks in working directly in the themes folder that builds into a theme folder?
  53. Is it safe to hand over the admin rights?
  54. how much information can we hide when using wordpress cms?
  55. How to find exploited wordpress plugin [closed]
  56. How I can open back door for myself?
  57. Basic password protection without using users and roles
  58. System setting changed by system user
  59. Does meta-data need to be sanitized?
  60. How can I force a specific password?
  61. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  62. Who updates the wp-admin/core file?
  63. How WordPress sanitizes post content on save? Or it doesn’t?
  64. Does this code indicate an exploit?
  65. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  66. How to prevent to direct access of my custom plugin folder/files
  67. Checking for origin of a xmlrpc request
  68. RESTRICT EDIT of PHP files?
  69. wp-content – permissions for files/folders created by apache
  70. How can I restrict access to specific parts of a page, not just the page itself?
  71. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  72. Monitor wordpress all external calls
  73. HSTS header not being added correctly
  74. how to protect wordpress content from crawler
  75. Securing WordPress running on Azure platform
  76. Can WordPress admin user + database credentials be used to gain Cpanel or FTP access?
  77. Should I worry about SQL injection when using REST API?
  78. Spam Registrations
  79. Links to root domain from search engines don’t work, but direct links and links from other referrers do
  80. How can I backup my site if it gets hacked?
  81. Standard Method for Securing a WordPress Site
  82. Site has fake users registered with a similar pattern in username and email
  83. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  84. Secure Multiple WordPress Installations on shared hosting
  85. Any way to disable /wp-login.php redirecting to the site folder?
  86. Able to go to WordPress admin even after deleting auth cookies from request headers
  87. Is WordPress ready for GDPR compliance? [closed]
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  92. Competitor is somehow accessing MetaData on a hidden WordPress site
  93. WordPress Hacks/Defacing [closed]
  94. checking the form submit in right order
  95. Our security auditor is an idiot. How do I give him the information he wants?
  96. I am under DDoS. What can I do?
  97. SSH keypair generation: RSA or DSA?
  98. How do I protect my company from my IT guy? [closed]
  99. Does changing default port number actually increase security? [closed]
  100. WordPress – tracking options