WordPress.org

Make WordPress Core

Opened 20 months ago

Last modified 20 months ago

#43706 new defect (bug)

Email with link to change admin email does not include proposed new email address.

Reported by: sshanky Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.5
Component: Users Keywords:
Focuses: Cc:
PR Number:

Description

This is a follow-up to #39112.

This can be precarious -- I've received this note twice since locking out the previous administrator (not sure how he is attempting to change the address yet) and there's no way to determine who is requesting the admin email change. The email with the link to change the admin email follows.

Howdy [name],

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
https://siteurl.com/wp-admin/options.php?adminhash=[hash]

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to [current admin email]

Regards,
All at sitename
http://siteurl.com

Change History (3)

#1 @sshanky
20 months ago

I just rehosted a site for a client, and am now receiving emails from the site stating I've recently requested to have the administration email changed. I didn't request it, and I've deleted the account the former admin could have used to log in. I've also changed all other passwords, and the host has changed.

This is the second time this has happened. The first time, I tried clicking the link to see if it would tell me the proposed new email that was requested, but instead it just authorized the change. And I couldn't change it back, because the confirmation email went to the new, unauthorized email. So I changed it directly in the database and now know better than to click the link.

I am trying to figure out how these emails are being generated...any ideas? Email I'm receiving is below.

Thanks!

#2 @soulseekah
20 months ago

Hey, @sshanky! Welcome to Trac :)

The email you mention does contain the "proposed new email address".

	$email_text = __(
		'Howdy ###USERNAME###,

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
###ADMIN_URL###

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to ###EMAIL###

Regards,
All at ###SITENAME###
###SITEURL###'
	);

###EMAIL### is, in fact, the proposed new email.

Quoting the help block in the User Edit screen:

If you change this we will send you an email at your new address to confirm it. The new address will not become active until confirmed.

What appears to be happening, is your old administrator registered as a regular user, and is trying to change his email to the address you're receiving the notification on. Would this make sense?

#3 @sshanky
20 months ago

This might be what is happening...It doesn't quite explain why, after clicking the confirmation link in the email, the admin email was set to the old admin's email address. Perhaps I thought I clicked the link but I didn't?

In any case, I would propose that it might be clearer if the verbiage in the email was more precise -- rather than using

This email has been sent to ###EMAIL###

which doesn't clearly state that ###EMAIL### is the proposed new email, a more instructive approach might be to change the email to read something like:


$email_text = __(
		'Howdy ###USERNAME###,

You recently requested to have the administration email address on
your site changed to:

###EMAIL###

If this is correct, please click on the following link to confirm this email and change it:
###ADMIN_URL###

You can safely ignore and delete this email if you do not want to
take this action.

Regards,
All at ###SITENAME###
###SITEURL###'
	);

Thanks for the reply. I'll play with it some more and come back if I can reproduce the behavior. For now we should probably close this issue.

Note: See TracTickets for help on using tickets.