No dupe-checking on wp_users.display_name field allows impersonation attack, edge case privilege escalation venerability
|Reported by:||foxly||Owned by:|
This is a serious problem with how the wordpress core handles user data.
Wordpress has many different names for the same user. There's user_login, which they can't change, user_nicename, which is essentially the same thing, and display_name.
If display_name is unset, the user_login will be displayed. But if display_name is set, the value in display_name will be displayed.
That means if a user sets their display_name to say "admin" on either the back-end menu, or on the profile config in BuddyPress, their name will be displayed as "admin" *everywhere* on the site.
This would be great for a phishing attack. And there are probably some plugins that this could open security holes in as well.
Also: It's possible for more than one user to have the same "display_name".
Change History (6)
- Priority changed from highest omg bbq to normal
- Severity changed from critical to normal
- Priority changed from normal to high
- Severity changed from normal to major
- Summary changed from No dupe-checking on wp_users.display_name field causes serious venerability to No dupe-checking on wp_users.display_name field allows impersonation attack, edge case privilege escalation venerability
- Keywords security exploit spoofing display_name removed
- Priority changed from high to normal