Opened 3 years ago
Closed 3 years ago
#53093 closed enhancement (duplicate)
Network Admin Email
Reported by: | lars2923 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.7.1 |
Component: | Users | Keywords: | |
Focuses: | administration | Cc: |
Description
I changed the Network Admin Email found under Setting. Here is a portion of the message received when Saving Changes: "we will send you an email at your new address to confirm it. The new address will not become active until confirmed."
What occurred to me is IF I were a hacker, I change the email address from yours to mine, All I have to do is go to MY email and acknowledge the change. What I feel should happen is an email should be sent to the address that is originally in the Network Admin Field (your address) prior to the change and have that individual (you) acknowledge the change.
As it stands, I as a hacker can change the address to my address and it is my address that received the email requesting acknowledgement, not yours.
Hi there, welcome to WordPress Trac!
Thanks for the report, we're already tracking this issue in #48563.
As noted in [41254] / #39118, the confirmation sent to the new email is not meant as a security step, it only prevents accidental or erroneous email address changes from potentially locking users out of their site.
[41164] / #39117 added a notification sent to the old admin email address as well, to reduce the chances of a site compromise going unnoticed.
Let's continue the discussion in #48563 to keep it in one place.