WP-Members: Membership Framework
[resolved] no check against DB for existing email address when updating (5 posts)

  1. Steve
    Posted 5 years ago #

    Overall, good job, good plugin.

    One (possibly big) issue though. If an existing user goes to edit their information and they change their email address to something else there is no check in place to make sure that the newly entered email address isn't already in the database.

    So, theoretically, if a user knew the email address of a site admin could they not gain admin access by changing the email associated with their account to one that is used by an admin?

  2. Chad Butler
    Plugin Author

    Posted 5 years ago #

    That should be changed for the simple reason that we don't want to have address collisions. But to answer your security question, no, it would not allow a non-admin user to gain administrative access.

  3. Steve
    Posted 5 years ago #

    this is my solution to the problem

    [Code moderated as per the Forum Rules. Please use the pastebin]

    it first checks to see if the email address passed in the form is different than what is currently on file, if it is different it then checks to make sure the new email address isn't already in use

  4. Chad Butler
    Plugin Author

    Posted 5 years ago #

    That's a good solution. I would suggest not bothering to check if it's different and just check if it exists. That way you go from doing either 1 or 2 db calls to just 1 and still accomplish the same thing (it can be changed as long as it's not empty and doesn't already exist).

    Also (and this is something that the registration section is being updated to), I would suggest just using the WP function email_exists. Then you could cut out a few lines by just using if ( email_exists ( $user_email ) ) {...

  5. Steve
    Posted 5 years ago #

    thanks for the feedback

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WP-Members: Membership Framework
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic