[wp-trac] [WordPress Trac] #20140: Ask old password to change user password
WordPress Trac
noreply at wordpress.org
Sun Jul 28 05:08:24 UTC 2024
#20140: Ask old password to change user password
-----------------------------------+---------------------------------
Reporter: nprasath002 | Owner: (none)
Type: feature request | Status: reopened
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: major | Resolution:
Keywords: has-patch 2nd-opinion | Focuses: ui, administration
-----------------------------------+---------------------------------
Changes (by dpknauss):
* focuses: => ui, administration
* severity: normal => major
Comment:
This is still a useful enhancement to limit the potential harm of a
hijacked user session, but to fully eliminate that type of threat it would
need to be applied to both user password and email address changes, as
well as any new user account creation, like @stephenharris's plugin:
https://wordpress.org/plugins/password-confirm-action/
Ideally, the privileged actions that trigger the challenge should
terminate the current user session and require reauthentication to
complete.
As Stephen's plugin notes, an Administrator with arbitrary
upload/install/activate/deactivate privileges can bypass all of these (and
any) defenses. Requiring reauthentication to perform
upload/install/activate/deactivate/delete actions would adequately defend
against hijacked Administrator sessions.
Since 2021, stolen session cookies from compromised user devices have
become the most common effective attack (exceeding plugin vulnerabilities)
on WordPress sites, so this old feature request has become even more
relevant as a way to limit the potential damage.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/20140#comment:31>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list