[wp-trac] [WordPress Trac] #61481: Critical Bug in WordPress Affecting User Privacy (comment_class)

WordPress Trac noreply at wordpress.org
Sun Jun 23 07:15:19 UTC 2024


#61481: Critical Bug in WordPress Affecting User Privacy (comment_class)
--------------------------+------------------------------
 Reporter:  kamalireal    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:
 Severity:  major         |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by kamalireal):

 Replying to [comment:1 samiamnot]:
 > Usernames in WordPress are not considered a security issue.
 >
 >
 > > It has been stated in previous tickets, "leaking" of the username is
 not deemed a security issue by WordPress.org, as it's a conscious decision
 to use the username as the slug in the URL, If you don't like this default
 behavior, there are plugins in the repository which allow you to change
 the url format to your preferred layout.
 >
 > https://core.trac.wordpress.org/ticket/20235#comment:7


 Hi,
 This issue is very important for WordPress stores. Let's assume that a
 user has placed an order on the site and their username is the same as
 their phone number, and they have left a comment on the site. Hackers or
 phishing perpetrators can easily find the phone number in the site's
 source code, which belongs to the customer, and contact them. By deceiving
 the customer through various methods, they can empty their account!
 Unfortunately, this has happened to some individuals. This issue is not
 related to the user link; it is related to the class created by the
 `comment_class` function.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61481#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list