Make WordPress Core

Opened 6 weeks ago

#61819 new enhancement

A possible design flaw in administrative rights

Reported by: erikvdh's profile erikvdh Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 6.6.1
Component: Administration Keywords:
Focuses: administration Cc:

Description

Situation:

A WordPress site with multiple administrator accounts is able to changing each other's passwords and email addresses, without any verification. Admins can lock each other out this way, and abuse each other's accounts, without the victim being able to reclaim or delete their own admin account.

Also, administrators can create random accounts with e-mail addresses, without confirmation of the e-mail address owner. To me, that feels a little ‘outdated’ because these days, every new account has to be verified with a confirmation link.

Steps to reproduce:

  • Admin A logs in to the WordPress website.
  • Admin A goes to User settings and edits Admin B's details.
  • Admin A changes the password for Admin B.
  • Admin A can change Admin B's email address, Admin B does not need to confirm this change. (now he is locked-out!)
  • Admin B is now completely locked out of his account, and has no way to recover his password, because the password recovery email address has also been changed.
  • Admin A can now abuse Admin B's name and account if he has malicious intent.

Recommendations:

  • My recommendation is to build in a function that when Admin A creates or changes changes the email address of Admin B, Admin B must confirm this change.
  • Admin B must be able to remove himself from an existing WordPress environment, now this is not possible and is dependent on another Admin to do this for him.
  • If a new Admin account is created within WordPress, the new user must confirm his account via a link that is sent to the entered email address. This prevents admin accounts from being created under email addresses of people who have not given permission for this.

Final thoughts...

The above is probably made by design. However, I am concerned about this. Adjusting each other's data, and particularly the e-mail address for password recovery, is in my opinion too easy.

There are many WordPress environments that have been built by third parties, and where contact disappears for all kinds of reasons or conflicts arise. It would be nice if admins could decide to withdraw from a certain WordPress website and not be dependent on third parties for this.

Notice, I brought this issue to the attention of HackerOne but they deemed it a design choice and not a security issue.

Change History (0)

Note: See TracTickets for help on using tickets.