[wp-trac] [WordPress Trac] #40667: Password reset screen allows validity (or otherwise) of the provided email

WordPress Trac noreply at wordpress.org
Thu May 4 16:19:31 UTC 2017


#40667: Password reset screen allows validity (or otherwise) of the provided email
-------------------------+------------------------------
 Reporter:  dartiss      |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:  trunk
 Severity:  normal       |  Resolution:  invalid
 Keywords:               |     Focuses:  administration
-------------------------+------------------------------
Changes (by iandunn):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 Hi, this is a known issue, and
 [https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a
 -security-issue we don't consider usernames (and by extension, the
 existence of accounts) to be private]. A similar thing can be achieved
 just by browsing the `/author/{slug}` views.

 Please don't ignore the warning that Trac displays when creating security
 tickets. If you believe you've found a vulnerable, please
 [https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#where-do-i-report-security-issues disclose it to us
 privately], [https://hackerone.com/wordpress via HackerOne].

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40667#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list