[wp-trac] [WordPress Trac] #49527: Impersonation on not-logged-in comment form
WordPress Trac
noreply at wordpress.org
Thu Feb 27 10:36:31 UTC 2020
#49527: Impersonation on not-logged-in comment form
--------------------------+-----------------------------
Reporter: antonv | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 5.3.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
If a stranger knows the name and email of a previous approved commenter,
or of a registered user, the stranger’s comments are automatically
approved and published.
Probably it needs a token, or an open comment password entry that is used
for future comments by that stranger, stored in database and optionally by
cookie on stranger’s device.
First easiest fix would be to check if name or email belong to a
registered user and then automatically discard comment and redirect to
login form.
This came to my attention as a registered user notified me and complained
about comments he had not written, and they had his photo as avatar ---
fortunately for me nothing serious this time but it could have lead to a
legal matter if missused. I for now have turned off public commenting
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49527>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list