[wp-trac] [WordPress Trac] #49956: Spammers able to share unmoderated comments

WordPress Trac noreply at wordpress.org
Thu Apr 23 13:26:05 UTC 2020 

#49956: Spammers able to share unmoderated comments
--------------------------+---------------------
 Reporter:  jonkolbert    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.4.2
Component:  Comments      |     Version:  5.1
 Severity:  major         |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+---------------------

Comment (by ayeshrajans):

 It turns out that WordPress is hesitant on setting any cookies on sites
 without explicit consent, so this leaves cookies from the user
 verification. Here is a very simple approach of validating the user has
 same IP address as the IP address the comment was original left at. This
 should take away the incentive for spammer because outside users will not
 see this comment even though the exact same URL is used.

 This is a very short-sighted fix, and I do not recommend we go down this
 road:

 1. It uses `$_SERVER['REMOTE_ADDR']`, which is not concrete. Reverse
 proxies sometimes do not forward the user IP and this IP needs to be taken
 into account.

 2. If the WordPress site is caching static responses, or is behind a load-
 balancer that caches responses, everyone with the unique URL will get the
 comment even though they come from different IP addresses.


 I think the security issue the OP mentioned is a serious one that can
 affect majority of the WordPress sites out there. I think our step would
 be to expose an admin configuration option to disable the URL-scoped
 comment preview feature. I know I will immediately disable this feature
 instead of dealing with fragile scoping mechanisms.

 Alternately, the comment preview can be enabled only for those who consent
 to cookies, and the comment preview emits a Vary: cookie header to bust
 load-balancer/proxy caching.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49956#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list