[wp-trac] [WordPress Trac] #53093: Network Admin Email

WordPress Trac noreply at wordpress.org
Mon Apr 26 23:17:54 UTC 2021

#53093: Network Admin Email
 Reporter:  lars2923        |      Owner:  (none)
     Type:  enhancement     |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  5.7.1
 Severity:  normal          |   Keywords:  needs-design needs-patch
  Focuses:                  |
 I changed the Network Admin Email found under Setting. Here is a portion
 of the message received when Saving Changes: "we will send you an email at
 your new address to confirm it. The new address will not become active
 until confirmed."

 What occurred to me is IF I were a hacker, I change the email address from
 yours to mine, All I have to do is go to MY email and acknowledge the
 change. What I feel should happen is an email should be sent to the
 address that is originally in the Network Admin Field (your address) prior
 to the change and have that individual (you) acknowledge the change.

 As it stands, I as a hacker can change the address to my address and it is
 my address that received the email requesting acknowledgement, not yours.

Ticket URL: <https://core.trac.wordpress.org/ticket/53093>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list