[wp-trac] [WordPress Trac] #31787: Password Reset Form Information Disclosure

WordPress Trac noreply at wordpress.org
Fri Mar 27 16:28:11 UTC 2015

#31787: Password Reset Form Information Disclosure
 Reporter:  mrtortai      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
 On the WordPress Lost Your Password form (/wp-

 If you enter an incorrect username the following message will display:
 "ERROR: Invalid username or e-mail."
 And if you enter an incorrect email address, the following message will
 display: "ERROR: There is no user registered with that email address."

 These error messages provide helpful information to an attacker or
 automated bot or spammers by helping them determine correct usernames and
 email addresses.

 For an alternative approach, we can look at Apple, Namecheap, Cloudflare,
 for example:

 Enter any incorrect Apple ID. The value can be accepted and the form
 provides no indication that the Apple ID is incorrect.

 Enter an incorrect username or email address.
 Nondescript Message: "If your email address exists in our database, you
 will receive a password recovery link at your email address in a few

 Enter an incorrect email address.
 Nondescript Message: "If an account with this email exists in the system
 you will receive an email confirmation shortly."


 The WordPress Lost Your Password form should not provide any indication if
 the username or email address entered is correct or incorrect.

Ticket URL: <https://core.trac.wordpress.org/ticket/31787>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list