[wp-trac] [WordPress Trac] #40667: Password reset screen allows validity (or otherwise) of the provided email
WordPress Trac
noreply at wordpress.org
Thu May 4 16:19:31 UTC 2017
#40667: Password reset screen allows validity (or otherwise) of the provided email
-------------------------+------------------------------
Reporter: dartiss | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution: invalid
Keywords: | Focuses: administration
-------------------------+------------------------------
Changes (by iandunn):
* status: new => closed
* resolution: => invalid
Comment:
Hi, this is a known issue, and
[https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a
-security-issue we don't consider usernames (and by extension, the
existence of accounts) to be private]. A similar thing can be achieved
just by browsing the `/author/{slug}` views.
Please don't ignore the warning that Trac displays when creating security
tickets. If you believe you've found a vulnerable, please
[https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#where-do-i-report-security-issues disclose it to us
privately], [https://hackerone.com/wordpress via HackerOne].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40667#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list