Any registered user can create a post on the donate.melloneducate.com site.
NOTE: The screenshots are showing users with a “Volunteer” role, not any registered user. While this is by design, as Volunteers need to create Campaigns (which are custom post types), I have removed the Dashboard access for Volunteers.
https://donate.melloneducate.com/volunteer-portal
There is no restriction on file upload types within the volunteer portal when updating a user’s profile picture.
NOTE: I have added a check for images only.
SRA was able to create a user with a weak password using a dictionary word and no special characters.
NOTE: This is not an issue, apps should not be enforcing passwords.
Strong password enforcement sounds like an obvious win—but in practice, it often creates more problems than it solves.
When you force rules like:
Users don’t become more secure—they adapt:
Password1! → Password2! → Password3!This actually reduces real-world security.
Traditional rules (symbols, etc.) are outdated thinking.
A password like:
P@ssw0rd!23 → technically “strong”, but easily crackedcorrect horse battery staple → long, simple, far more secureOver-enforcement pushes users toward complex-looking but weak passwords instead of long, memorable ones.
Strict rules lead to:
For SaaS or WordPress products (like what you’re building), this directly impacts:
Forced rotation (e.g. every 30/90 days):
Modern guidance (e.g. National Institute of Standards and Technology) explicitly recommends not forcing periodic password changes unless there’s a breach.
Most compromises today come from:
Strong password rules do almost nothing against these.
What actually helps:
If users are already frustrated with passwords, adding strict rules:
Admins think:
“We enforce strong passwords, so we’re safe.”
But without:
…it’s mostly security theatre.
Open registration is enabled on donate.melloneducate.com allowing any user to register an account.
NOTE: This is not an issue. This website requires user registration for Volunteers, where they can create Campaigns. It also requires user registrations for donations.
The WordPress admin portal is externally accessible.
NOTE: This is how WordPress works. I changed it to /4login on both websites. Read more below:
https://getbutterfly.com/why-changing-the-wordpress-login-url-is-a-bad-idea
When submitting a logon request or password reset request the website will disclose if a user is not registered on the site.
NOTE: User enumeration is not a meaningful attack vector. There’s no access, no privilege escalation, no data leak — just confirmation of existence. I have changed it to a basic “Invalid login credentials”, but see why this is not a security issue:
Even if you hide login responses, WordPress leaks users elsewhere:
/author/adminSo preventing enumeration at login is often security theatre, because the data is already accessible.
Modern security assumes:
Real attackers don’t sit guessing blindly—they use:
So hiding whether a user exists adds very little protection.
Clear feedback:
This matters a lot for:
Especially for:
If you hide existence:
Clear messaging:
→ helps users self-correct quickly
The form(s) do not have anti-scripting controls in place such as a CAPTCHA to prevent automated form submissions.
https://melloneducate.com/submit-your-own-photos-and-videos/
IE Volunteers 2026
IE Veteran Volunteers 2026
Student Volunteer Programme 2027
Literacy Hat Challenge
https://melloneducate.com/Contact/NOTE: They actually do, and it’s Akismet, in the back-end. Visual CAPTCHAs are actually discouraged due to UX and accessibility issues. Hidden CAPTCHAs are preferred.
https://melloneducate.com/about/financial-transparency/
NOTE: The page is called “Financial Transparency“, so…
Also, this is content, if the client wants to publish their list of employees, it’s their prerogative.