WordPress.org

Make WordPress Core

#46675 closed defect (bug) (invalid)

Just found a url hack that will disclose admin log in user name

Reported by: jeremiah01292 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: privacy Cc:

Description

Googling this pattern can give access to admin user name email

"/author/[emailaddress] minus the @ [email host name] adding a - [email host extenstion]"

Attachments (1)

Selection_041.png (6.0 KB) - added by jeremiah01292 16 months ago.

Download all attachments as: .zip

Change History (2)

#1 @johnbillion
16 months ago

  • Component changed from General to Security
  • Focuses coding-standards removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

@jeremiah01292 Thank you for your interest in keeping WordPress users secure, but there are two prominent messages relating to security vulnerability disclosures that you need to ignore in order to submit a ticket here. Did you honestly see neither of them?

https://i.imgur.com/y0Fxm7I.png

https://i.imgur.com/9ADQbxE.png

Clicking through to the security program details why usernames are considered public information. You can read about that here: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

Note: See TracTickets for help on using tickets.