[wp-trac] [WordPress Trac] #53962: The bug allows to see the name(s) of a user(s) who has replied to a comment (not yet authorized).
WordPress Trac
noreply at wordpress.org
Fri Aug 20 04:11:53 UTC 2021
#53962: The bug allows to see the name(s) of a user(s) who has replied to a comment
(not yet authorized).
--------------------------+--------------------------------------
Reporter: fasuto | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.9
Component: Comments | Version: 2.7
Severity: normal | Resolution:
Keywords: | Focuses: administration, privacy
--------------------------+--------------------------------------
Changes (by peterwilsoncc):
* milestone: Awaiting Review => 5.9
Comment:
Replying to [comment:2 fasuto]:
> ... the bug could allow a security breach by listing the users
commenting on the post, I wanted to report it by hacker one but couldn't,
I hope it can be fixed.
I thought about that and decided that it can be worked on in public in a
similar way that #49956 was.
As comments (including the commenter's name) are intended to be public, I
don't think there is much concern about exposing data intended to be
private. The main issue here is making sure it's not exploited by
spammers.
I've just moved it on to the next major release's milestone for
visibility.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53962#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list