WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#25651 closed defect (bug) (duplicate)

wp_mail() not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

Reported by: MaximumResults Owned by:
Milestone: Priority: normal
Severity: major Version: 3.6.1
Component: Mail Keywords:
Focuses: Cc:

Description

When WordPress and WordPress plugins send emails using wp_mail() in wp-includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not being set. When this happens on cPanel based hosting services, the mail headers on the resulting emails expose the hosting account login name and the hosting server in the hosting service's name space (something like myccount@… ). This provides everything necessary to access the hosting account as the owner of the account, except the password. Registrants on a site should not be provided this information.

Change History (4)

#1 in reply to: ↑ description @MaximumResults
7 years ago

Replying to MaximumResults:

When WordPress and WordPress plugins send emails using wp_mail() in wp-includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not being set. When this happens on cPanel based hosting services, the mail headers on the resulting emails expose the hosting account login name and the hosting server in the hosting service's name space (something like myccount@… ). This provides everything necessary to access the hosting account as the owner of the account, except the password. Registrants on a site should not be provided this information.

I have a suggested solution. The PHPMailer class provides a method SetFrom(), and the code there has a paramter, "auto" which will automatically set the "Sender:" and "Reply-To:" header information from the email name/address.

So, a possible solution would be, at line 340 of pluggable.php, put these three lines:

$from_email = apply_filters( 'wp_mail_from'     , $from_email );
$from_name = apply_filters( 'wp_mail_from_name', $from_name  );
$phpmailer->SetFrom($from_email, $from_name, true );

In place of the current line 340-341:

$phpmailer->From     = apply_filters( 'wp_mail_from'     , $from_email );
$phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name  );

#2 @MaximumResults
7 years ago

  • Component changed from General to Mail

#3 @MaximumResults
7 years ago

  • Summary changed from wp_mail not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers to wp_mail() not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

#4 @SergeyBiryukov
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #18792.

Note: See TracTickets for help on using tickets.