Opened 6 years ago
Closed 5 years ago
#47718 closed defect (bug) (fixed)
Verification of new admin email address can be bypassed via options.php
Reported by: | pixolin | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Options, Meta APIs | Keywords: | has-screenshots |
Focuses: | Cc: |
Description
If you want to change the admin email address for a single WordPress site (wp-admin/options-general.php
), a confirmation is requested by sending a mail to the new mail address "to avoid the address being inadvertently set to an incorrect address" (#39118).
If you change the mail address in wp-admin/options.php
or use WP-CLI (wp option update admin_email my@mail.com
), no email will be sent to the new address and no confirmation is required. The change is directly executed.
While some users suggest using options.php
to set a new admin email address as a workaround (eg. https://www.timjensen.us/change-admin-email-without-confirmation/) and "bypassing verification may have benefits in certain situations" (https://twitter.com/earnjam/status/1151404147813605376), the verification process seems to be flawed.
I don't see this as a security risk, as only logged in admins (or users with access to WP-CLI) can execute changes.
Attachments (2)
Change History (11)
#2
@
6 years ago
- Keywords 2nd-opinion added
I think in general you should not be able to bypass verification when changing the setting through the user interface.
My only holdup in continuing that position here is that wp-admin/options.php
isn't linked to anywhere in the admin, so it's not something an average user would encounter. Only more advanced users will even be aware of its existence.
I have used this method in the past to force a change on sites in a multisite network where the equivalent screen is available at wp-admin/network/site-settings.php
and linked to from the tabs at the top of wp-admin/network/site-info.php
.
It's interesting that we have a discrepancy where this form (for directly changing site options) is linked to on the multisite network admin, but it is not on a single site installation. That may simply be due to the fact that a network administrator is typically expected to be more knowledgeable/experienced than a standard site admin.
#4
@
6 years ago
- Keywords needs-patch added; dev-feedback removed
- Milestone changed from Awaiting Review to Future Release
I agree that this isn't a security issue, but a warning at the top of wp-admin/options.php
would be appropriate, perhaps in the form of a non-dismissable admin notice.
#5
@
6 years ago
- Keywords has-screenshots added
I'm not sure if this is the right place for it, but I put the function in /wp-includes/user.php
:
<?php /** * Adds an admin notice alerting the user to be careful on the options.php page * * @since 5.3.0 * * @global string $pagenow */ function options_page_warning() { global $pagenow; if ( 'options.php' !== $pagenow ) { return; } echo '<div class="notice notice-warning">'; echo '<p><strong>' . __( 'WARNING!' ) . '</strong></p>'; echo '<p>' . __( 'This page allows direct access to your site settings. You can break things here. Please be cautious!' ) . '</p>'; echo '</div>'; }
And the filter in /wp-admin/includes/admin-filters.php
:
<?php add_action( 'admin_notices', 'options_page_warning' );
You can see the output in the screenshot.
#7
@
5 years ago
- Keywords needs-patch removed
My patch is pretty much based from the code provided by @zodiac1978 above. I only applied the following changes.
- I placed the
add_action()
insidewp-admin/includes/admin-filters.php
and placed the callback function insidewp-admin/includes/options.php
. I think these are the most suitable places for them. Please advice otherwise.
- I also change the function name from
options_page_warning()
towp_admin_options_php_page_warning_admin_notice()
to make it more specific and less likely to have function name duplicate conflict.
I think both options (
wp-admin/options.php
and WP CLI) are not very known by beginners and just used by pro users - therefore the missing verification process is not a bug, but a feature IMHO.Maybe
wp-admin/options.php
should get a warning sign, like the plugin/theme editor. Something like "You can break things here - do you really know what you are doing?".