[wp-trac] [WordPress Trac] #44347: WP allows creating username that is already used email address
WordPress Trac
noreply at wordpress.org
Mon Jun 11 00:46:58 UTC 2018
#44347: WP allows creating username that is already used email address
---------------------------+------------------------------
Reporter: phillipburger | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
---------------------------+------------------------------
Comment (by phillipburger):
As I thought more about this one, it might actually be a bigger problem.
Lets say that a user (maybe the only admin of a site) has an account like:
username: my_admin_username (clearly a poor username)
email: websiteadmin at thewebsite.com
If a bad person happens to know that email address and they have a way to
register a new user on that website and they decide to create an account
with:
username: websiteadmin at thewebsite.com
email: mypersonalemail at anotherwebsite.com
The problem I realized is, hopefully the admin knows their username and
does not always log in with email address because the lost email and other
login dialogs that use "username or email address" seem to check the email
address against username first - so that admin user may be locked out of
the site.
Thanks again, hope this helps.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44347#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list