Security risk Nicename update when profile is loaded by Super-Admin
That WP sets the user_nicename with the username is a security risk.
I tried several plugins, but at some point the username showed up again as nicename.
Then I manipulated the nicename directly in the DB.
At some point that was overwritten again as well.
As far as I have found out now, the nicename is already reset to the username when a user profile is displayed.
Thus it is only conditionally possible to determine the nicename itself.
But this is dangerous from a security point of view. By briefly activating the author contributions in the sitemap, two usernames have now fallen into the hands of people who certainly have nothing good in mind: Wordfence reports attacks with these two usernames since then.
In my opinion, it should be immediately ensured that the nicename itself can be determined and is different from the username.
Further testing has now shown: The change does not happen when the own profile is edited. If I load another user’s profile as Super-Admin, the nicename is overwritten when loading.
- The topic ‘Security risk Nicename update when profile is loaded by Super-Admin’ is closed to new replies.