Make WordPress Core

Opened 16 months ago

Last modified 16 months ago

#57639 new enhancement

Don't reveal and show admin email address in "changed email address" template to low permission user roles - Privacy issue

Reported by: renehermi's profile ReneHermi Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 6.1.1
Component: Privacy Keywords:
Focuses: Cc:

Description

A user with low permissions like the subscriber role can find out the email address of the main administrator account.

This is problematic because these low privilege accounts are not intended to receive such sensitive information. They are usually created for customer accounts or subscriber accounts that should be notified about new posts or comments.

This issue becomes even more severe when it is combined with the installation of popular plugins like WooCommerce, Easy Digital Downloads or newsletter plugins. These plugins nearly always create a wordpress user with a low user role. As a result all of these sites are potentially affected even if the WordPress option "Anyone can register" is not activated.

Steps To Reproduce

Reproduce without 3rd party plugins:

  • Activate wp-admin > Settings > General > Anyone can register or install a shop plugin like easy digital download and Create a subscriber Login with the subscriber account
  • Let the subscriber change his email address

Result: WordPress will send a confirmation email that reveals the (super) administrator email address.

Reproduce with a shop plugin like Easy Digital Download

  • Install Easy Digital Downloads
  • Make a purchase
  • Login with the purchaser account
  • Let the purchaser change his email address

Result: WordPress core will send a confirmation email that reveals the (super) administrator email address to the buyer.

Recommendations

Generally I think we should remove the email address from the mail completely. As it is now it's easy to create a bot that collects millions of valid wp admin email adresses, just by creating subscriber accounts and then changing their email addresses afterward.

This affects latest version 6.1.1 but probably older WordPress versions as well.

To fix this I recommend to update the email template in /wp-includes/user.php and remove the email placeholder from the lines 2646 and 2588

Note: I've already reported this on hackerone.com but it was closed there with the explanation that this is no security issue so I am opening it here publically as privacy related issue.

I still think its a security issue but this decision should be made by someone else.

Change History (3)

#1 @swissspidy
16 months ago

#57640 was marked as a duplicate.

#2 @swissspidy
16 months ago

The email address shown in these emails is not a specific user's email address, but the one you set under Settings -> General as "Administration Email Address".

#3 @ReneHermi
16 months ago

I know, you know but I claim the "administration email address" has often an existing admin user account because the average small website owner adds there the same email address that he uses for maintaining his website.

I experienced this often on client websites and even on personal websites of mine.

But you can put the security factor aside and take the privacy one.

This was never an issue for me as I had the assumption this mail address would be private.
When I happened to notice that this email address is sent to all my subscribers who want to change their mailing address, this became a problem because this email address was never intended for the public and there is no clear warning in admin dashboard that the administrator email address is visible to other people.

When we don't remove the mail address we should at least mention that this mail address is no private one and could be visible to subscribers.

Note: See TracTickets for help on using tickets.