Opened 18 months ago
Closed 18 months ago
#57640 closed enhancement (duplicate)
Don't reveal and show admin email address in "changed email address" template to low permission user roles - Privacy issue
| Reported by: |
ReneHermi
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | major | Version: | 6.1.1 |
| Component: | Privacy | Keywords: | |
| Focuses: | Cc: |
Description
A user with low permissions like the subscriber role can find out the email address of the main administrator account.
This is problematic because these low privilege accounts are not intended to receive such sensitive information. They are usually created for customer accounts or subscriber accounts that should be notified about new posts or comments.
This issue becomes even more severe when it is combined with the installation of popular plugins like WooCommerce, Easy Digital Downloads or newsletter plugins. These plugins nearly always create a wordpress user with a low user role. As a result all of these sites are potentially affected even if the WordPress option "Anyone can register" is not activated.
Steps To Reproduce
Reproduce without 3rd party plugins:
- Activate wp-admin > Settings > General > Anyone can register or install a shop plugin like easy digital download and Create a subscriber Login with the subscriber account
- Let the subscriber change his email address
Result: WordPress will send a confirmation email that reveals the (super) administrator email address.
Reproduce with a shop plugin like Easy Digital Download
- Install Easy Digital Downloads
- Make a purchase
- Login with the purchaser account
- Let the purchaser change his email address
Result: WordPress core will send a confirmation email that reveals the (super) administrator email address to the buyer.
Recommendations
Generally I think we should remove the email address from the mail completely. As it is now it's easy to create a bot that collects millions of valid wp admin email adresses, just by creating subscriber accounts and then changing their email addresses afterward.
This affects latest version 6.1.1 but probably older WordPress versions as well.
To fix this I recommend to update the email template in /wp-includes/user.php and remove the email placeholder from the lines 2646 and 2588
Note: I've already reported this on hackerone.com but it was closed there with the explanation that this is no security issue so I am opening it here publically as privacy related issue.
I still think its a security issue but this decision should be made by someone else.
@
Looks like this got filed twice by accident. Closing in favor of #57639