[wp-trac] [WordPress Trac] #61819: A possible design flaw in administrative rights

Mon Aug 5 07:42:45 UTC 2024

#61819: A possible design flaw in administrative rights
----------------------------+-----------------------------
 Reporter:  erikvdh         |      Owner:  (none)
     Type:  enhancement     |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  6.6.1
 Severity:  major           |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 Situation:

 A WordPress site with multiple administrator accounts is able to changing
 each other's passwords and email addresses, without any verification.
 Admins can lock each other out this way, and abuse each other's accounts,
 without the victim being able to reclaim or delete their own admin
 account.

 Also, administrators can create random accounts with e-mail addresses,
 without confirmation of the e-mail address owner. To me, that feels a
 little ‘outdated’ because these days, every new account has to be verified
 with a confirmation link.

 Steps to reproduce:

 * Admin A logs in to the WordPress website.
 * Admin A goes to User settings and edits Admin B's details.
 * Admin A changes the password for Admin B.
 * Admin A can change Admin B's email address, Admin B does not need to
 confirm this change. (now he is locked-out!)
 * Admin B is now completely locked out of his account, and has no way to
 recover his password, because the password recovery email address has also
 been changed.
 * Admin A can now abuse Admin B's name and account if he has malicious
 intent.

 Recommendations:

 * My recommendation is to build in a function that when Admin A creates or
 changes changes the email address of Admin B, Admin B must confirm this
 change.

 * Admin B must be able to remove himself from an existing WordPress
 environment, now this is not possible and is dependent on another Admin to
 do this for him.

 * If a new Admin account is created within WordPress, the new user must
 confirm his account via a link that is sent to the entered email address.
 This prevents admin accounts from being created under email addresses of
 people who have not given permission for this.

 Final thoughts...

 The above is probably made by design. However, I am concerned about this.
 Adjusting each other's data, and particularly the e-mail address for
 password recovery, is in my opinion too easy.

 There are many WordPress environments that have been built by third
 parties, and where contact disappears for all kinds of reasons or
 conflicts arise. It would be nice if admins could decide to withdraw from
 a certain WordPress website and not be dependent on third parties for
 this.

 Notice, I brought this issue to the attention of HackerOne but they deemed
 it a design choice and not a security issue.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61819>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform