[wp-trac] [WordPress Trac] #25651: wp_mail not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

WordPress Trac noreply at wordpress.org
Mon Oct 21 18:09:20 UTC 2013


#25651: wp_mail not setting Sender and Reply-To headers, exposing hosting account
info on some cPanel servers
----------------------------+-----------------------------
 Reporter:  MaximumResults  |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  3.6.1
 Severity:  major           |   Keywords:
----------------------------+-----------------------------
 When WordPress and WordPress plugins send emails using wp_mail() in wp-
 includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not
 being set. When this happens on cPanel based hosting services, the mail
 headers on the resulting emails expose the hosting account login name and
 the hosting server in the hosting service's name space (something like
 myccount at host99.myhostingservice.com ). This provides everything necessary
 to access the hosting account as the owner of the account, except the
 password. Registrants on a site should not be provided this information.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25651>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list