Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#16370 closed defect (bug) (duplicate)

Vulnerability: Comment posting by Guest

Reported by: igisev's profile igisev Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.4
Component: Comments Keywords: comment posting guest
Focuses: Cc:


If on "Discussion Settings" console page
"Users must be registered and logged in to comment" - is checked
then any visitor can leave comments on a site.

But if guest knows Email and/or "display name" of any registered user he can leave the comment as though it was this user!

For example:
Admin Email is 'admin[at]'. Admin display name is 'Administrator'.
Guest fill out comment form with:
Name: Administrator
E-Mail: admin[at]
and press the "Submit Comment" button
Full size image:

As a result the comment of the visitor and the comment of the Administrator look absolutely equally! =/
Full size image:

What you can say about this? =(

Attachments (2)

1.gif (21.8 KB) - added by igisev 13 years ago.
Screen 1
2.gif (26.7 KB) - added by igisev 13 years ago.
Screen 2

Download all attachments as: .zip

Change History (4)

13 years ago

Screen 1

13 years ago

Screen 2

#1 @linuxologos
13 years ago

I can't see any bug though. The real admin has the ability to moderate comments and throw those away.

#2 @nacin
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10931.

Note: See TracTickets for help on using tickets.