Update wordpress.md

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -659,28 +659,6 @@ User-Agent: PoC
 Connection: close
 ```
 
-Expected success indicators
-
-- Redirect to a plugin page (e.g., `/wp-admin/admin.php?page=candidates`).
-- New WordPress auth cookies issued; browser session becomes that user (ID 1 is commonly the first admin).
-
-Detection checklist
-
-- Access logs showing `?switch_back` (or `?switch_user=<id>`) in unauthenticated requests immediately followed by WordPress auth cookie issuance and a redirect to admin pages.
-- Inbound requests carrying `Cookie: original_user_id=*` on public endpoints.
-- Error pages triggered by `wp_die('Original user not found')` / `wp_die('No original user found…')` indicating probing.
-
-Hardening
-
-- Do not place login/state-changing flows on public `init`. Use `admin_post_*`/`wp_ajax_*` handlers and enforce `is_user_logged_in()` plus strong capability checks (e.g., `current_user_can('administrator')`).
-- Never derive identity from client cookies. Store the “original user” server-side (user meta) or use a signed, expiring token bound to the actor and verify it.
-- Make state-changing actions POST-only and require CSRF nonces (`check_admin_referer()` / `wp_verify_nonce()`).
-- Remove any `wp_ajax_nopriv_` exposure for these flows.
-
-Impact
-
-- Unauthenticated privilege escalation to any account, including administrator, leading to full site takeover.
-
 ---
 
 ### WAF considerations for WordPress/plugin CVEs