Strengthening Intranet Mode Security: Important Changes to URL Matching

With the latest release 43.0, we have introduced an important security improvement to how the WPO365 plugin evaluates pages that are exempt from authentication. This change resolves two vulnerabilities that could otherwise allow attackers to bypass Intranet mode. This article explains what the issue was, what has changed, and what action administrators need to take.

Bypass authentication checks

The “Pages freed from authentication” list allows administrators to define specific pages that should remain publicly accessible, even when Intranet mode is enabled. Previously, entries in this list were interpreted too loosely. In certain edge cases, this made it possible for specially crafted URLs to bypass authentication checks.

This is a common class of issue in web application security: when input (in this case, a URL path) is not validated or normalized strictly, attackers may exploit inconsistencies to access protected resources.

In general, any mechanism that relies on matching user-supplied paths must be carefully designed to prevent unintended matches or bypasses.

What has changed

To address this, the plugin now applies stricter and more predictable matching rules:

• Entries are interpreted as server-relative paths.
• Each entry must start with a forward slash (/).
• Matching is performed against the requested URI path, starting from the beginning.

In practical terms:

/public-page will match:

• /public-page
• /public-page/
• /public-page/sub-page
• /public-page?key=value
• /public-page/?key=value

But it will not match:

• /somewhere/public-page
• /anything-else

/public-page?key=value will match:

• /public-page?key=value
• /public-page/?key=value

By enforcing this “match from the start” rule, the plugin ensures that only intended paths are exempted, eliminating ambiguity.

Your action is required

Now please go ahead and review the entries under Roles + Access > Pages freed from authentication.

• Since the plugin already internally handles the following cases, you can remove those from the list:
  • wp-cron.php
  • admin-ajax.php
  • favicon.ico
  • wp-login.php
  • xmlrpc.php
• Make sure that each entry starts with (/).
• Uses a site-relative path (not a full URL).
• Be as specific as possible.
• Avoid overly broad patterns.

If you have questions about how this affects your configuration, feel free to reach out, as we’re happy to help you review your setup.