Bug: Comment credentials getting cached and shown to all public, anonymous users

First, thanks for this great plugin.

When a user visits a post, places a comment, and ticks the “Save my name, email, and website in this browser for the next time I comment.” checkbox, Powered Cache will store a URL-specific cookie in that user’s browser so that single post is excluded from showing it’s cached version to that commenter.

This is clever, as it still shows cached pages to that person for posts they hadn’t commented on… yet.

But here’s the problem/bug:

Let’s say that user visits another post or page with a comment form. When they do, their author name, email address, and website URL is pulled from the three cookies WordPress core creates after they placed their last comment. For example:

comment_author_url_900150983cd24fb0d6963f7d28e17f72
comment_author_email_900150983cd24fb0d6963f7d28e17f72
comment_author_900150983cd24fb0d6963f7d28e17f72

These values are then inserted into the value attribute of all comment forms site-wide and Powered Cache is caching it and showing it to all users. This commenter’s credentials are now exposed to all visitors.

I discovered this when testing this plugin on localhost via Edge browser. Left a comment, then visited several other pages.

Then I visited those pages using desktop Chrome, Firefox, and mobile Chrome, and oddly, I noticed the author name, email, and website field for several pages displayed the credentials I entered when I placed the first comment via Edge browser.

That’s when I looked in the “powered-cache” folder and noticed the author name, email, and website hardcoded into the cached pages.

All visitors would see this.

Most other caching plugins will not show cached pages to anyone who’s left a comment. They’ll check for the existence of a cookie that starts with “comment_author_” within the $_COOKIE array then exclude that person from receiving any cached pages. It’s a hammer-like approach, but prevents the sort of leakage detailed here.

I see you’re taking a similar approach within the get_rejected_cookies() function, but stopping short of excluding comment_author_ matches.

And you’re trying to (admirably) thread the needle, by only blocking the page that person commented on instead of treating them similar to a logged-in user. This is a great performance boost.

But it’s introducing this weird and easy to miss bleed-through effect that’s leaking their details out to everyone.

The workaround using the existing install would be to add “comment_author_” to the list of “Rejected Cookies” within Powered Cache settings. This resolve this issue with the existing codebase (after clearing the cache), but it’s back to the hammer-like approach that most other caching plugins use.

FYI, here’s an example of how the Cache Enabler plugin takes an unforgivable approach to cookie exclusion:

$cookies_regex = '/^(wp-postpass|wordpress_logged_in|comment_author)_/';

Thanks.