Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#49527 closed defect (bug) (duplicate)

Impersonation on not-logged-in comment form

Reported by: antonv's profile antonv Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.3.2
Component: Comments Keywords:
Focuses: Cc:


If a stranger knows the name and email of a previous approved commenter, or of a registered user, the stranger’s comments are automatically approved and published.

Probably it needs a token, or an open comment password entry that is used for future comments by that stranger, stored in database and optionally by cookie on stranger’s device.

First easiest fix would be to check if name or email belong to a registered user and then automatically discard comment and redirect to login form.

This came to my attention as a registered user notified me and complained about comments he had not written, and they had his photo as avatar --- fortunately for me nothing serious this time but it could have lead to a legal matter if missused. I for now have turned off public commenting

Change History (1)

#1 @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome back to WordPress Trac!

Thanks for the report, we're already tracking this issue in #10931.

Note: See TracTickets for help on using tickets.