id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
13866	No dupe-checking on wp_users.display_name field allows impersonation attack, edge case privilege escalation venerability	foxly		"This is a serious problem with how the wordpress core handles user data.

Wordpress has many different names for the same user. There's user_login, which they can't change, user_nicename, which is essentially the same thing, and display_name.

If display_name is unset, the user_login will be displayed. But if display_name is set, the value in display_name will be displayed.

That means if a user sets their display_name to say ""admin"" on either the back-end menu, or on the profile config in BuddyPress, their name will be displayed as ""admin"" *everywhere* on the site.

This would be great for a phishing attack. And there are probably some plugins that this could open security holes in as well.

Also: It's possible for more than one user to have the same ""display_name"".
"	defect (bug)	closed	normal		Users	2.9.2	major	invalid