[wp-trac] [WordPress Trac] #61481: Critical Bug in WordPress Affecting User Privacy (comment_class)
WordPress Trac
noreply at wordpress.org
Sun Jun 23 07:15:19 UTC 2024
#61481: Critical Bug in WordPress Affecting User Privacy (comment_class)
--------------------------+------------------------------
Reporter: kamalireal | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: major | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by kamalireal):
Replying to [comment:1 samiamnot]:
> Usernames in WordPress are not considered a security issue.
>
>
> > It has been stated in previous tickets, "leaking" of the username is
not deemed a security issue by WordPress.org, as it's a conscious decision
to use the username as the slug in the URL, If you don't like this default
behavior, there are plugins in the repository which allow you to change
the url format to your preferred layout.
>
> https://core.trac.wordpress.org/ticket/20235#comment:7
Hi,
This issue is very important for WordPress stores. Let's assume that a
user has placed an order on the site and their username is the same as
their phone number, and they have left a comment on the site. Hackers or
phishing perpetrators can easily find the phone number in the site's
source code, which belongs to the customer, and contact them. By deceiving
the customer through various methods, they can empty their account!
Unfortunately, this has happened to some individuals. This issue is not
related to the user link; it is related to the class created by the
`comment_class` function.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61481#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list