[wp-trac] [WordPress Trac] #47718: Verification of new admin email address can be bypassed via options.php
WordPress Trac
noreply at wordpress.org
Wed Jul 17 10:27:59 UTC 2019
#47718: Verification of new admin email address can be bypassed via options.php
--------------------------------+------------------------------
Reporter: pixolin | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
--------------------------------+------------------------------
Changes (by earnjam):
* keywords: => 2nd-opinion
Comment:
I think in general you should not be able to bypass verification when
changing the setting through the user interface.
My only holdup in continuing that position here is that `wp-
admin/options.php` isn't linked to anywhere in the admin, so it's not
something an average user would encounter. Only more advanced users will
even be aware of its existence.
I have used this method in the past to force a change on sites in a
multisite network where the equivalent screen is available at `wp-
admin/network/site-settings.php` and linked to from the tabs at the top of
`wp-admin/network/site-info.php`.
It's interesting that we have a discrepancy where this form (for directly
changing site options) is linked to on the multisite network admin, but it
is not on a single site installation. That may simply be due to the fact
that a network administrator is typically expected to be more
knowledgeable/experienced than a standard site admin.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47718#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list