[wp-trac] [WordPress Trac] #47718: Verification of new admin email address can be bypassed via options.php
WordPress Trac
noreply at wordpress.org
Wed Jul 17 08:51:00 UTC 2019
#47718: Verification of new admin email address can be bypassed via options.php
--------------------------------+-----------------------------
Reporter: pixolin | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------------+-----------------------------
If you want to change the admin email address for a single WordPress site
(`wp-admin/options-general.php`), a confirmation is requested by sending a
mail to the new mail address "to avoid the address being inadvertently set
to an incorrect address" (#39118).
If you change the mail address in `wp-admin/options.php` or use WP-CLI
(`wp option update admin_email my at mail.com`), no email will be sent to the
new address and no confirmation is required. The change is directly
executed.
While some users suggest using `options.php` to set a new admin email
address as a workaround (eg. https://www.timjensen.us/change-admin-email-
without-confirmation/) and "bypassing verification may have benefits in
certain situations"
(https://twitter.com/earnjam/status/1151404147813605376), the
**verification process seems to be flawed**.
I ''don't'' see this as a ''security risk'', as only logged in admins (or
users with access to WP-CLI) can execute changes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47718>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list