I have a huge security issue:
Commentators see the emails of other commentators.
From time to time (not always) when visitors (i.e. not logged in users) want to post a comment they see the emails of completely different commentators.
They would go to “Leave a reply” and the name input field and the email input field would automatically contain not their own name and their own email addresses (that were used for the previous comment they made), but would show someone else’s name and someone else’s email. WordPress would simply reveal another commentator’s name+email.
The IPs are completely different, thus is it’s not a simple IP mess up.
This bug cannot be reproduced. It happens rarely, but it happens.
I have a multi-site install, in case that matters. It happened both with the TwentyTen and TwentyEleven theme.
- The topic ‘Huge security issue: Comment fields reveal email address of different user’ is closed to new replies.