Low privilege user can see email address of comment author by HTML source
|Reported by:||lilyfan||Owned by:|
|Severity:||normal||Keywords:||email comments autor has-patch tested|
At wp-admin/edit-commet.php, higher privilege users can do everything, and editor/author users can do restrict editing.
Author users can edit comments which is belonging to his/her posts.
He/she can see all comments, but can not see email address of other's posts at admin panel.
However, in HTML source, email address of all posts in written at div section with class="author-email" !!
So, author users can see all email address of all comments.
This div section is for quick editing, therefore, this must be deleted when he/she can not edit the comment.
Change History (6)
- Component changed from Administration to Quick Edit
- Owner anonymous deleted
- Milestone changed from 2.7.2 to 2.8
- Severity changed from critical to normal