WordPress.org

Make WordPress Core

Opened 6 months ago

Closed 6 months ago

#53093 closed enhancement (duplicate)

Network Admin Email

Reported by: lars2923 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.7.1
Component: Users Keywords:
Focuses: administration Cc:

Description

I changed the Network Admin Email found under Setting. Here is a portion of the message received when Saving Changes: "we will send you an email at your new address to confirm it. The new address will not become active until confirmed."

What occurred to me is IF I were a hacker, I change the email address from yours to mine, All I have to do is go to MY email and acknowledge the change. What I feel should happen is an email should be sent to the address that is originally in the Network Admin Field (your address) prior to the change and have that individual (you) acknowledge the change.

As it stands, I as a hacker can change the address to my address and it is my address that received the email requesting acknowledgement, not yours.

Change History (1)

#1 @SergeyBiryukov
6 months ago

  • Component changed from Administration to Users
  • Focuses administration added
  • Keywords needs-design needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #48563.

As noted in [41254] / #39118, the confirmation sent to the new email is not meant as a security step, it only prevents accidental or erroneous email address changes from potentially locking users out of their site.

[41164] / #39117 added a notification sent to the old admin email address as well, to reduce the chances of a site compromise going unnoticed.

Let's continue the discussion in #48563 to keep it in one place.

Note: See TracTickets for help on using tickets.