Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#25651 closed defect (bug) (duplicate)

wp_mail() not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

Reported by: maximumresults's profile MaximumResults Owned by:
Milestone: Priority: normal
Severity: major Version: 3.6.1
Component: Mail Keywords:
Focuses: Cc:

Description

When WordPress and WordPress plugins send emails using wp_mail() in wp-includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not being set. When this happens on cPanel based hosting services, the mail headers on the resulting emails expose the hosting account login name and the hosting server in the hosting service's name space (something like myccount@… ). This provides everything necessary to access the hosting account as the owner of the account, except the password. Registrants on a site should not be provided this information.

Change History (4)

#1 in reply to: ↑ description @MaximumResults
11 years ago

Replying to MaximumResults:

When WordPress and WordPress plugins send emails using wp_mail() in wp-includes/pluggable.php, the "Sender:" and "Reply-to:" headers are not being set. When this happens on cPanel based hosting services, the mail headers on the resulting emails expose the hosting account login name and the hosting server in the hosting service's name space (something like myccount@… ). This provides everything necessary to access the hosting account as the owner of the account, except the password. Registrants on a site should not be provided this information.

I have a suggested solution. The PHPMailer class provides a method SetFrom(), and the code there has a paramter, "auto" which will automatically set the "Sender:" and "Reply-To:" header information from the email name/address.

So, a possible solution would be, at line 340 of pluggable.php, put these three lines:

$from_email = apply_filters( 'wp_mail_from'     , $from_email );
$from_name = apply_filters( 'wp_mail_from_name', $from_name  );
$phpmailer->SetFrom($from_email, $from_name, true );

In place of the current line 340-341:

$phpmailer->From     = apply_filters( 'wp_mail_from'     , $from_email );
$phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name  );

#2 @MaximumResults
11 years ago

  • Component changed from General to Mail

#3 @MaximumResults
11 years ago

  • Summary changed from wp_mail not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers to wp_mail() not setting Sender and Reply-To headers, exposing hosting account info on some cPanel servers

#4 @SergeyBiryukov
11 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #18792.

Note: See TracTickets for help on using tickets.