WordPress.org

Make WordPress Core

#47718 closed defect (bug) (fixed)

Verification of new admin email address can be bypassed via options.php

Reported by: pixolin Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: has-screenshots
Focuses: Cc:

Description

If you want to change the admin email address for a single WordPress site (wp-admin/options-general.php), a confirmation is requested by sending a mail to the new mail address "to avoid the address being inadvertently set to an incorrect address" (#39118).

If you change the mail address in wp-admin/options.php or use WP-CLI (wp option update admin_email my@mail.com), no email will be sent to the new address and no confirmation is required. The change is directly executed.

While some users suggest using options.php to set a new admin email address as a workaround (eg. https://www.timjensen.us/change-admin-email-without-confirmation/) and "bypassing verification may have benefits in certain situations" (https://twitter.com/earnjam/status/1151404147813605376), the verification process seems to be flawed.

I don't see this as a security risk, as only logged in admins (or users with access to WP-CLI) can execute changes.

Attachments (2)

options-warning.png (16.6 KB) - added by zodiac1978 11 months ago.
Screenshot from the warning on top of the options.php page
47718.diff (1.7 KB) - added by donmhico 10 months ago.
Display an admin notice in wp-admin/options.php page.

Download all attachments as: .zip

Change History (11)

#1 @zodiac1978
11 months ago

I think both options (wp-admin/options.php and WP CLI) are not very known by beginners and just used by pro users - therefore the missing verification process is not a bug, but a feature IMHO.

Maybe wp-admin/options.php should get a warning sign, like the plugin/theme editor. Something like "You can break things here - do you really know what you are doing?".

#2 @earnjam
11 months ago

  • Keywords 2nd-opinion added

I think in general you should not be able to bypass verification when changing the setting through the user interface.

My only holdup in continuing that position here is that wp-admin/options.php isn't linked to anywhere in the admin, so it's not something an average user would encounter. Only more advanced users will even be aware of its existence.

I have used this method in the past to force a change on sites in a multisite network where the equivalent screen is available at wp-admin/network/site-settings.php and linked to from the tabs at the top of wp-admin/network/site-info.php.

It's interesting that we have a discrepancy where this form (for directly changing site options) is linked to on the multisite network admin, but it is not on a single site installation. That may simply be due to the fact that a network administrator is typically expected to be more knowledgeable/experienced than a standard site admin.

#3 @zodiac1978
11 months ago

  • Keywords dev-feedback added; 2nd-opinion removed

#4 @pento
11 months ago

  • Keywords needs-patch added; dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

I agree that this isn't a security issue, but a warning at the top of wp-admin/options.php would be appropriate, perhaps in the form of a non-dismissable admin notice.

@zodiac1978
11 months ago

Screenshot from the warning on top of the options.php page

#5 @zodiac1978
11 months ago

  • Keywords has-screenshots added

I'm not sure if this is the right place for it, but I put the function in /wp-includes/user.php:

<?php
/**
 * Adds an admin notice alerting the user to be careful on the options.php page
 *
 * @since 5.3.0
 *
 * @global string $pagenow
 */
function options_page_warning() {
        global $pagenow;

        if ( 'options.php' !== $pagenow ) {
                return;
        }

        echo '<div class="notice notice-warning">';
        echo '<p><strong>' . __( 'WARNING!' ) . '</strong></p>';
        echo '<p>' . __( 'This page allows direct access to your site settings. You can break things here. Please be cautious!' ) . '</p>';
        echo '</div>';

}

And the filter in /wp-admin/includes/admin-filters.php:

<?php
add_action( 'admin_notices', 'options_page_warning' );

You can see the output in the screenshot.

Last edited 11 months ago by zodiac1978 (previous) (diff)

#6 @SergeyBiryukov
11 months ago

  • Milestone changed from Future Release to 5.3

@donmhico
10 months ago

Display an admin notice in wp-admin/options.php page.

#7 @donmhico
10 months ago

  • Keywords needs-patch removed

My patch is pretty much based from the code provided by @zodiac1978 above. I only applied the following changes.

  1. I placed the add_action() inside wp-admin/includes/admin-filters.php and placed the callback function inside wp-admin/includes/options.php. I think these are the most suitable places for them. Please advice otherwise.
  1. I also change the function name from options_page_warning() to wp_admin_options_php_page_warning_admin_notice() to make it more specific and less likely to have function name duplicate conflict.

#8 @SergeyBiryukov
10 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#9 @SergeyBiryukov
10 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 45743:

Administration: Display a warning at the top of "All Settings" screen.

Props zodiac1978, donmhico, pixolin.
Fixes #47718.

Note: See TracTickets for help on using tickets.