WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 5 months ago

#43706 reviewing enhancement

Email with link to change admin email does not include proposed new email address.

Reported by: sshanky Owned by: SergeyBiryukov
Milestone: 5.9 Priority: normal
Severity: normal Version: 4.9.5
Component: Users Keywords: good-first-bug has-patch
Focuses: Cc:

Description

This is a follow-up to #39112.

This can be precarious -- I've received this note twice since locking out the previous administrator (not sure how he is attempting to change the address yet) and there's no way to determine who is requesting the admin email change. The email with the link to change the admin email follows.

Howdy [name],

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
https://siteurl.com/wp-admin/options.php?adminhash=[hash]

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to [current admin email]

Regards,
All at sitename
http://siteurl.com

Attachments (2)

43706.patch (2.5 KB) - added by tremidkhar 8 months ago.
Rephrase the email address change notification email.
43706.1.patch (2.4 KB) - added by tremidkhar 8 months ago.
The old email can be taken from the $old_value variable if ticket #52464 get resolved.

Download all attachments as: .zip

Change History (12)

#1 @sshanky
4 years ago

I just rehosted a site for a client, and am now receiving emails from the site stating I've recently requested to have the administration email changed. I didn't request it, and I've deleted the account the former admin could have used to log in. I've also changed all other passwords, and the host has changed.

This is the second time this has happened. The first time, I tried clicking the link to see if it would tell me the proposed new email that was requested, but instead it just authorized the change. And I couldn't change it back, because the confirmation email went to the new, unauthorized email. So I changed it directly in the database and now know better than to click the link.

I am trying to figure out how these emails are being generated...any ideas? Email I'm receiving is below.

Thanks!

#2 @soulseekah
4 years ago

Hey, @sshanky! Welcome to Trac :)

The email you mention does contain the "proposed new email address".

	$email_text = __(
		'Howdy ###USERNAME###,

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
###ADMIN_URL###

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to ###EMAIL###

Regards,
All at ###SITENAME###
###SITEURL###'
	);

###EMAIL### is, in fact, the proposed new email.

Quoting the help block in the User Edit screen:

If you change this we will send you an email at your new address to confirm it. The new address will not become active until confirmed.

What appears to be happening, is your old administrator registered as a regular user, and is trying to change his email to the address you're receiving the notification on. Would this make sense?

#3 @sshanky
4 years ago

This might be what is happening...It doesn't quite explain why, after clicking the confirmation link in the email, the admin email was set to the old admin's email address. Perhaps I thought I clicked the link but I didn't?

In any case, I would propose that it might be clearer if the verbiage in the email was more precise -- rather than using

This email has been sent to ###EMAIL###

which doesn't clearly state that ###EMAIL### is the proposed new email, a more instructive approach might be to change the email to read something like:


$email_text = __(
		'Howdy ###USERNAME###,

You recently requested to have the administration email address on
your site changed to:

###EMAIL###

If this is correct, please click on the following link to confirm this email and change it:
###ADMIN_URL###

You can safely ignore and delete this email if you do not want to
take this action.

Regards,
All at ###SITENAME###
###SITEURL###'
	);

Thanks for the reply. I'll play with it some more and come back if I can reproduce the behavior. For now we should probably close this issue.

#4 @avodesign
10 months ago

Did you ever sort a solution? I have the same thing happening. Ugh

#5 @johnbillion
10 months ago

  • Keywords needs-patch good-first-bug added
  • Type changed from defect (bug) to enhancement

Agreed that the wording in this email could be improved.

This ticket was mentioned in Slack in #core by tremidkhar. View the logs.


8 months ago

@tremidkhar
8 months ago

Rephrase the email address change notification email.

#7 @tremidkhar
8 months ago

  • Keywords has-patch added; needs-patch removed

@tremidkhar
8 months ago

The old email can be taken from the $old_value variable if ticket #52464 get resolved.

This ticket was mentioned in Slack in #core by tremidkhar. View the logs.


7 months ago

#9 @SergeyBiryukov
7 months ago

  • Milestone changed from Awaiting Review to 5.8
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#10 @SergeyBiryukov
5 months ago

  • Milestone changed from 5.8 to 5.9

Thanks for the patch! Didn't get around to reviewing it in time for the 5.8 feature freeze, moving to the next release.

Note: See TracTickets for help on using tickets.