[wp-trac] [WordPress Trac] #57394: wp_insert_user allows the new user to have a username equal to an already registered email

WordPress Trac noreply at wordpress.org
Wed Dec 28 23:54:03 UTC 2022 

#57394: wp_insert_user allows the new user to have a username equal to an already
registered email
------------------------------------+-----------------------------
 Reporter:  buutqn                  |      Owner:  (none)
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  6.1.1
 Severity:  normal                  |   Keywords:  needs-patch
  Focuses:                          |
------------------------------------+-----------------------------
 Scenario:
     User A is an administrator, has username = 'admin' and email =
 'admin at domain.com';
     User B registers (open to register wp install) with username =
 'admin at domain.com' and email = 'test at gmail.com';

 In my case, i use both users, one to admin the website, and the other to
 simulate an customer user. Both users had same password.

 When i tried to log in with administrator user by email, i end up logged
 in the as user B.

 Then i changed User B password to not conflict, and it works as it should,
 if i set user A password it gets logged in as user A and if i use User B
 password it gets logged in as User B.

 I don't think this is a security issue, but allowing an user to be
 registered with another users email as username could be annoying and
 confuse some website administrators for scams or something else.

 To solve this issue, i just filtered username_exists filter and checked if
 the username was existing email.

 {{{#!php
 public function __construct() {
     add_filter("username_exists", array($this, "username_exists"));
 }

 public function username_exists($user_id, $username) {
     if (email_exists($username)) {
         $user = get_user_by("email", $username);
         if ($user->exists()) {
             return $user->ID;
         }
     }
     return $user_id;
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57394>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list