[wp-trac] [WordPress Trac] #43027: Class comment-author-$login uses login, why not ID
WordPress Trac
noreply at wordpress.org
Fri Jan 5 11:28:10 UTC 2018
#43027: Class comment-author-$login uses login, why not ID
-------------------------+-----------------------------
Reporter: webliberty | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version:
Severity: normal | Keywords:
Focuses: template |
-------------------------+-----------------------------
Login to the administrator console requires entering a login and password.
If the comment contains a class with a login, then the attacker can only
pick up the password, because login is already known.
Why not replace the login to ID or nickname?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43027>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list