I find myself thinking "wow, what an obvious bug. How did Microsoft not catch that?" but then I think back to some of my own extremely obvious bugs. Thankfully my code is much lower impact.
I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev.
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
Yeah, having learnt very similar (if not the same) lessons myself the hard way I see great value in being able to fail badly, but with low stakes. I catch loads of bugs like these from jrs before they hit prod but I don't feel like they're learning the fundamentals of security like trust, sanitising inputs, least privilege etc.
That would be an incorrectly configured http server. Not wordpress.
Things used to be distributed with .htaccess files, but only apache uses them and so that got offloaded on "blame the admin for not following documentation." Forgetting that nobody ever adds such to the docs.
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.