Make WordPress Core

#57640 closed enhancement (duplicate)

Don't reveal and show admin email address in "changed email address" template to low permission user roles - Privacy issue

Reported by: renehermi's profile ReneHermi Owned by:
Milestone: Priority: normal
Severity: major Version: 6.1.1
Component: Privacy Keywords:
Focuses: Cc:

Description

A user with low permissions like the subscriber role can find out the email address of the main administrator account.

This is problematic because these low privilege accounts are not intended to receive such sensitive information. They are usually created for customer accounts or subscriber accounts that should be notified about new posts or comments.

This issue becomes even more severe when it is combined with the installation of popular plugins like WooCommerce, Easy Digital Downloads or newsletter plugins. These plugins nearly always create a wordpress user with a low user role. As a result all of these sites are potentially affected even if the WordPress option "Anyone can register" is not activated.

Steps To Reproduce

Reproduce without 3rd party plugins:

  • Activate wp-admin > Settings > General > Anyone can register or install a shop plugin like easy digital download and Create a subscriber Login with the subscriber account
  • Let the subscriber change his email address

Result: WordPress will send a confirmation email that reveals the (super) administrator email address.

Reproduce with a shop plugin like Easy Digital Download

  • Install Easy Digital Downloads
  • Make a purchase
  • Login with the purchaser account
  • Let the purchaser change his email address

Result: WordPress core will send a confirmation email that reveals the (super) administrator email address to the buyer.

Recommendations

Generally I think we should remove the email address from the mail completely. As it is now it's easy to create a bot that collects millions of valid wp admin email adresses, just by creating subscriber accounts and then changing their email addresses afterward.

This affects latest version 6.1.1 but probably older WordPress versions as well.

To fix this I recommend to update the email template in /wp-includes/user.php and remove the email placeholder from the lines 2646 and 2588

Note: I've already reported this on hackerone.com but it was closed there with the explanation that this is no security issue so I am opening it here publically as privacy related issue.

I still think its a security issue but this decision should be made by someone else.

Change History (1)

#1 @swissspidy
17 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Looks like this got filed twice by accident. Closing in favor of #57639

Note: See TracTickets for help on using tickets.