[wp-trac] [WordPress Trac] #53093: Network Admin Email
WordPress Trac
noreply at wordpress.org
Mon Apr 26 23:17:54 UTC 2021
#53093: Network Admin Email
----------------------------+--------------------------------------
Reporter: lars2923 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.7.1
Severity: normal | Keywords: needs-design needs-patch
Focuses: |
----------------------------+--------------------------------------
I changed the Network Admin Email found under Setting. Here is a portion
of the message received when Saving Changes: "we will send you an email at
your new address to confirm it. The new address will not become active
until confirmed."
What occurred to me is IF I were a hacker, I change the email address from
yours to mine, All I have to do is go to MY email and acknowledge the
change. What I feel should happen is an email should be sent to the
address that is originally in the Network Admin Field (your address) prior
to the change and have that individual (you) acknowledge the change.
As it stands, I as a hacker can change the address to my address and it is
my address that received the email requesting acknowledgement, not yours.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53093>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list