[wp-trac] [WordPress Trac] #57640: Don't reveal and show admin email address in "changed email address" template to low permission user roles - Privacy issue

WordPress Trac noreply at wordpress.org
Mon Feb 6 08:25:34 UTC 2023 

#57640: Don't reveal and show admin email address in "changed email address"
template to low permission user roles - Privacy issue
-------------------------+-----------------------------
 Reporter:  ReneHermi    |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Privacy      |    Version:  6.1.1
 Severity:  major        |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 A user with low permissions like the subscriber role can find out the
 email address of the main administrator account.

 This is problematic because these low privilege accounts are not intended
 to receive such sensitive information. They are usually created for
 customer accounts or subscriber accounts that should be notified about new
 posts or comments.

 This issue becomes even more severe when it is combined with the
 installation of popular plugins like WooCommerce, Easy Digital Downloads
 or newsletter plugins. These plugins nearly always create a wordpress user
 with a low user role. As a result all of these sites are potentially
 affected even if the WordPress option "Anyone can register" is not
 activated.

 **Steps To Reproduce**

 **Reproduce without 3rd party plugins:**

 - Activate wp-admin > Settings > General > Anyone can register or install
 a shop plugin like easy digital download and Create a subscriber Login
 with the subscriber account
 - Let the subscriber change his email address

 Result: WordPress will send a confirmation email that reveals the (super)
 administrator email address.

 **Reproduce with a shop plugin like Easy Digital Download**

 - Install Easy Digital Downloads
 - Make a purchase
 - Login with the purchaser account
 - Let the purchaser change his email address

 Result: WordPress core will send a confirmation email that reveals the
 (super) administrator email address to the buyer.

 Recommendations

 Generally I think we should remove the email address from the mail
 completely. As it is now it's easy to create a bot that collects millions
 of valid wp admin email adresses, just by creating subscriber accounts and
 then changing their email addresses afterward.

 This affects latest version 6.1.1 but probably older WordPress versions as
 well.

 To fix this I recommend to update the email template in /wp-
 includes/user.php and remove the email placeholder from the lines 2646 and
 2588

 Note: I've already reported this on hackerone.com but it was closed there
 with the explanation that this is no security issue so I am opening it
 here publically as privacy related issue.

 I still think its a security issue but this decision should be made by
 someone else.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57640>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list