Verify Comment Email Addresses of Registered Users

[mtdewvirus]

When leaving a comment with an email address of a registered user, WordPress should force the visitor to login or change the email address in the comment form.

Anyone can impersonate a blog's user if they know the user's email address.

[filosofo]

Duplicate of #8646 ?

[Denis-de-Bernardy]

Yeah. I closed the old one. See #8646, #2543, #1598.

[ryan]

How about get_user_by('email', $comment_author_email)?

[ShaneF]

Works as designed. Changed format to of what ryan had above.

[ryan]

Having a means to go back would be nice. Relevant discussion here:

​http://core.trac.wordpress.org/ticket/4332#comment:15

[ryan]

Maybe this should wait until we can offer a login form instead of just a die or go back. See #11172 for the planned login_form() function which would help here.

[ryan]

Postponing to 3.0 where we're planning to standardize the login and comment form stuff. That work will make it much easier to offer a good interaction here.

[westi]

I agree that it will be better for this to take advantage of #10931 - going to remove commit/has_patch for now as I think it is better to have an implementation which offers a login form so people can continue on and actually comment.

[dd32]

I agree that it will be better for this to take advantage of #10931

I agree as well, Without it, This ticket wouldnt exist! :)

[hakre]

I think westi had some other ticket in mind... but which one?

[westi]

Replying to hakre:

I think westi had some other ticket in mind... but which one?

I did #11172 - i.e. display a login form.

[rmccue]

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

[nacin]

Replying to rmccue:

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

Too late for 3.0 though. Moving to 3.1.

Remains a blessed task.

[scribu]

If I don't come up with an updated patch, go on without me... :)

[Denis-de-Bernardy]

#13791

[mdawaffe]

This solution is incomplete. If we're going to prevent impersonation, we need to implement CSRF protection for all logged in commentors. The patch on #13791 does this. The proposed code there is hook based, so it's all configurable/extendable. It's also more complicated.

If we go with this method, we'll need to pull in the CSRF stuff from #13791.

[scribu]

Instead of preventing the user from commenting, I think a better solution would be to accept the comment, but send it to the moderation queue.

There, the comment could have a notification displayed, to the effect of "Possible impersonation".

[scribu]

This could be done by storing a custom field on the comment.

[westi]

I'd like us to consider implementing this in 3.2

[westi]

Use Future Release to constrain 3.2-early

[greuben]

The patch only moves the comment to moderation if it is not spam and email is registered one.

[scribu]

Found out there's a plugin for this: ​http://wordpress.org/extend/plugins/impostercide/

[dd32]

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

[greuben]

Replying to dd32:

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

10931-2.diff​ does not move to spam, it moves the comment to moderation queue unless Akismet( or other spam plugins ) mark the comment as spam...

[dd32]

Sorry, misread the patch as spam rather than pending/moderation queue.

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

[greuben]

Replying to dd32:

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

For that, we can set
$comment_approved = -1 or 2;

and comments loop in themes (or wp_list_comments) should do

if( $comment_approved = -1 or 2 ){
echo "blah blah...";
}

[DrewAPicture]

#20165 Closed as dup/related.

[jane]

I would much prefer to force a login than push to moderation.

[nacin]

One thing to keep in mind; if a user is suspended/"deleted" or not yet activated, or has lost their password, forcing a login may prevent a comment from occurring temporarily or permanently.

Also, forcing a login here is actually pretty difficult from a technical perspective.

I think a push to moderation would be lame as well. Just pointing out some potential challenges.

[jane]

@nacin: I would also be fine with this being in a plugin. :)

[mark-k]

It is not only the impersonation possibility that is problematic, but also that the end result of commenting while logged in and while logged off might be different. When logged off author stylig will not be applied and the comment author URL will not be set to the website field in the user's profile.

Why not have something like

if user not logged in but email matches an active user {
    store comment in spam queue 
    dispatch cron event to be executed an hour later
    redirect to login form with redirect_to set to an admin URL in which the comment can be approved
    once approved duplicate the comment as if it was submitted by the user while he is logged in, remove the original from spam and process the new one
    then redirect to the post in which the comment was made.
}

in the cron event {
  if comment is still marked as spam send a mail to its author telling him to contact the admin about approving that comment
}

Comment initialy marked as spam since the damage of impersonation is probably higher then the damage of one comment being lost.

[playjoy]

I wanted to report this issue (for bbPress).
I'm amazed the issue still exists after 8 years it was first reported...

[SergeyBiryukov]

#49527 was marked as a duplicate.

[bookdude13]

Renewing interest in this. The main issues still to handle appear to be:

• How to deal with expired nonces in cached pages
• How to handle comments by anonymous or logged-out users (are they treated as anonymous, or are they treated as "normal" after a successful login?)

For expired nonces, one of ​these solutions could be explored.

For comments by logged-out users, some type of caching, queuing, or extra verification before the post seems to be the consensus?

[farhadvn]

i used a function for this problem! Of course, it may not be up to WordPress standards, but I hope it helps

function useremailcheck($approved){
 // example function
$email = filter_var($_POST["email"],FILTER_SANITIZE_EMAIL) ?: null;
// this SANITIZE is after wordpress validation, so this filter is not make sense, however wordpress devs can delete or replace it with a standard wordpress var.
if(is_user_logged_in() === false
// check if 1. user is not loggedin
 && isset($email)
 // 2. email is set
&& get_user_by("email",$email) !== false
// 3. we have an user with this email
&& $approved != "spam"
// 4. not marked as spam before
){
 $approved = 0;
// Force pending even if comments are open to all
 }
  return $approved;
}

add_action("pre_comment_approved","useremailcheck",999);

[azaozz]

Lets revisit this for 6.8.

Thinking that the idea to keep comments from existing users that are not logged-in in the moderation queue seems best. Such comments can be labelled in a specific way on the Comments screen so they would draw more attention.

One caveat with this idea may be comments by users that cannot moderate comments. In this case they may have to ask somebody else to approve their comments.

Alternatively the approach from https://core.trac.wordpress.org/attachment/ticket/10931/wp-comments-post.2.diff makes the most sense as it deals with this case as a "commenting error".

Fixes #10931

[audrasjb]

Screen capture of PR8114 result: works fine.

[audrasjb]

Hello there,

I attached a screencast of PR8114 above. At a glance, it do was it should do.

Yet I have two proposals:

1. I think we should remove the "or use a different email address" part of the message to avoid encouraging registered users to just remove one character from the email to send their comment with having to log in. Yep: most people are lazy :)
2. Should we prevent comments made with registered emails from being in the moderation queue? While I think it would sound logical given we want them to log in first, but I don't want us to facilitate spamming, so this should be tested with all the way people car send comments and not only the interface.

What do you think?

[audrasjb]

AH. Also we'll probably need some unit tests for this PR @rinkalpagdar.

[johnbillion]

The approach in ​PR 8114 goes against what several commenters on this ticket have indicated is their preference (including most recently @azaozz), which is to push the comment into the moderation queue rather than blocking it entirely. The PR are also introduces another means for an attacker to attempt to discover whether any given email address belongs to a registered user. This is technically not a functional change because it can be performed via wp-login.php, but it's definitely less than desirable. Placing such a comment into the moderation queue, along with an explanation of why it's there, is much preferable.

[audrasjb]

Moving to milestone 6.9 as this ticket lost its momentum and didn't get a new patch. Adding early keyword too.

Trac Ticket: #10931

[adamsilverstein]

A unit test would be nice here.

[adamsilverstein]

Thanks for the PR and unit tests @ankitkumarshah; looks good to me. Unless anyone raises outstanding concerns, I'm going to get this committed.

Hi @adamsilverstein,
Thank you for the review. I have made the necessary changes. Please review the PR at your convenience. Thank you. 🙌

[ankitkumarshah]

Hey @adamsilverstein,
Thank you for the feedback. I’ve made the necessary changes as requested. Please feel free to let me know if there’s anything else you’d like me to address.

[gulamdastgir04]

I have tested this PR in WordPress Playground:

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/8443

Environment

• WordPress: 6.9-alpha-20250606.060013
• PHP: 8.3.0-dev
• Server: PHP.wasm
• Database: WP_SQLite_Driver (Server: 5.5 / Client: 3.40.1)
• Browser: Chrome 138.0.0.0
• OS: Linux
• Theme: Twenty Twenty-Five 1.2
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Issue resolved with patch.

[rollybueno]

Reproduction Report

Description

This report validates whether a guest commenter can impersonate a registered user by using their email address in the comment form.

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.28
• Server: nginx/1.29.0
• Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
• Browser: Chrome 137.0.0.0
• OS: Linux
• Theme: Twenty Twenty-Five 1.2
• MU Plugins: None activated
• Plugins:
  • Query Monitor 3.18.0
  • Test Reports 1.2.0

Actual Results

A comment submitted by a guest using the email of the registered administrator is accepted without requiring login, allowing impersonation.

✅ Error condition occurs (reproduced).

Additional Notes

• ❗❗❗ I have tested this using Author Role but having difficulty to reproduce first, turns out I only able to reproduce when impersonating admin email, but it failed on Author role.
• I only found out after going through on each roles.
• No warning or login prompt is shown when the email matches administrator email.

Supplemental Artifacts

Admin email:

Comment passing through when using admin email. This without going to the moderation queue first. This is the main bug:

Comment blocked for moderation when using Author role:

[rollybueno]

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/8443

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.28
• Server: nginx/1.29.0
• Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
• Browser: Chrome 137.0.0.0
• OS: Linux
• Theme: Twenty Twenty-Five 1.2
• MU Plugins: None activated
• Plugins:
  • Query Monitor 3.18.0
  • Test Reports 1.2.0

Actual Results

1. ✅ Issue resolved with patch.

Additional Notes

• No side effects observed when using an administrator email.
• Patch correctly blocks guest comments using any registered user email.
• I tested this using the following method:

  git fetch upstream pull/8443/head:pr-8443
  git checkout pr-8443
  npm run env:restart
  

• I ran the new PHPUnit test unit, making sure it exercised all default WordPress roles (see test definition at ​https://github.com/WordPress/wordpress-develop/pull/8443/files#diff-3ede251a5cd89846c08805c7f4dcb763df26e1734e7a248974b30438b7a69dbeR215) by changing the value manually and re-run on each updates.
• I get same result of before and after video screencast from ​https://github.com/WordPress/wordpress-develop/pull/8443#issue-2892040401

Supplemental Artifacts

✅ Re-using administrator email since I was able to reproduce this earlier:

✅ Test the test unit. I changed the role with the default WP roles and re-run on each update:

✅ Confirming that I get same result of before and after video screencast from ​https://github.com/WordPress/wordpress-develop/pull/8443#issue-2892040401

[rollybueno]

Tested this using latest patch from ​https://github.com/WordPress/wordpress-develop/pull/8443/, it's good to go. Hey @adamsilverstein, you can re-add the commit keyword.

[mindctrl]

A concern I have with the current PR is that there is nothing in the wp-admin UI informing the admin/moderator that the comment in the queue was submitted by a logged out user who provided the email of an existing user.

The PR adjusts the email text via the comment_moderation_text filter, but if email notifications are disabled then the admin gets no notification at all of the potentially problematic nature of the comment.

[oglekler]

I share concerns with @mindctrl

I wonder if the more correct approach is to ask the user to log in and then return the user to the comment form. This way, we will not need to worry if the comment user is genuine or not. Another option is to add comment meta with the comment_moderation_text, but in this case it will be easy to miss, so I believe offering authorization will be the right approach, it will stop bogus comments from legitimate users and will be more convenient for moderation purposes.

[adamsilverstein]

I wonder if the more correct approach is to ask the user to log in and then return the user to the comment form.

That sounds right to me @oglekler and aligns with the original ticket request:

When leaving a comment with an email address of a registered user, WordPress should force the visitor to login or change the email address in the comment form.

@ankitkumarshah are you able to update your PR with this suggested change?

[wildworks]

This ticket was featured on today's 6.9 Bug Scrub.

@ankitkumarshah, do you have the bandwidth to refresh the PR?

[welcher]

6.9 Beta 1 is tomorrow and there hasn't been movement on this so I will punt it to 7.0