Opened 5 years ago
Closed 5 years ago
#49527 closed defect (bug) (duplicate)
Impersonation on not-logged-in comment form
Reported by: | antonv | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.3.2 |
Component: | Comments | Keywords: | |
Focuses: | Cc: |
Description
If a stranger knows the name and email of a previous approved commenter, or of a registered user, the stranger’s comments are automatically approved and published.
Probably it needs a token, or an open comment password entry that is used for future comments by that stranger, stored in database and optionally by cookie on stranger’s device.
First easiest fix would be to check if name or email belong to a registered user and then automatically discard comment and redirect to login form.
This came to my attention as a registered user notified me and complained about comments he had not written, and they had his photo as avatar --- fortunately for me nothing serious this time but it could have lead to a legal matter if missused. I for now have turned off public commenting
Hi there, welcome back to WordPress Trac!
Thanks for the report, we're already tracking this issue in #10931.