Support » Requests and Feedback » security vulnerability, update suggestion

  • So, I’m just posting this as a suggestion. In previous versions of WordPress and the current 6.0 there’s what I would call a security vulnerability in the pluggable.php file. The default behavior for comments is to email the user that had their post commented on to let them know, which is fine, but it shows their ip address to whoever comments on their post. It also shows their email address by default which I would also call a security vulnerability. I have edited mine to no longer show the ip address and email address of the commenter. If you have a membership site, you probably have login with email for enhanced security and probably don’t have email addresses posted anywhere. You certainly aren’t going to want to hand out the ip addresses of all your members to each other. So, I’m just suggesting for a WordPress version update to edit the pluggable.php file to no longer have ip addresses and personal email addresses sent out.

Viewing 1 replies (of 1 total)
  • Dion

    (@diondesigns)

    You shouldn’t edit core WordPress files because they will be replaced on the next update.

    Luckily, there is no need to edit wp-includes/pluggable.php. The file contains functions that can be replaced (“plugged”) by adding the replacement function to either a plugin or the wp-config.php file. If you add your replacement function using either of these two methods, it will be a permanent fix for your needs.

    FWIW, I agree with you about the need to limit personalized data being sent in emails. I suppose the difference is that I’d suggest setting up a couple filters to allow plugins/themes to redact the personalized data if they feel it’s necessary, and perhaps using (redacted) in the lang strings if the IP and/or email is redacted.

Viewing 1 replies (of 1 total)
  • The topic ‘security vulnerability, update suggestion’ is closed to new replies.