[wp-trac] [WordPress Trac] #10931: Verify Comment Email Addresses of Registered Users

WordPress Trac noreply at wordpress.org
Tue Jul 8 10:29:16 UTC 2025 

#10931: Verify Comment Email Addresses of Registered Users
-------------------------------------------------+-------------------------
 Reporter:  mtdewvirus                           |       Owner:
                                                 |  adamsilverstein
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.9
Component:  Comments                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-docs early has-patch has-      |     Focuses:
  unit-tests needs-testing                       |
-------------------------------------------------+-------------------------

Comment (by rollybueno):

 == Reproduction Report
 === Description
 This report validates whether a guest commenter can impersonate a
 registered user by using their email address in the comment form.

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.28
 - Server: nginx/1.29.0
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
 - Browser: Chrome 137.0.0.0
 - OS: Linux
 - Theme: Twenty Twenty-Five 1.2
 - MU Plugins: None activated
 - Plugins:
   * Query Monitor 3.18.0
   * Test Reports 1.2.0

 === Actual Results
 A comment submitted by a guest using the email of the registered
 administrator is accepted  without requiring login, allowing
 impersonation.

 ✅ Error condition occurs (reproduced).

 === Additional Notes
 - ❗❗❗ I have tested this using **Author Role** but having difficulty to
 reproduce first, turns out I only able to reproduce when impersonating
 **admin email**, but it failed on Author role.
 - I only found out after going through on each roles.
 - No warning or login prompt is shown when the email matches administrator
 email.

 === Supplemental Artifacts
 Admin email:
 [[Image(https://i.imgur.com/lApDCVR.png)]]

 Comment **passing** through when using admin email. This without going to
 the moderation queue first. This is the **main bug**:
 [[Image(https://i.imgur.com/mxBXB60.png)]]

 Comment **blocked** for moderation when using Author role:
 [[Image(https://i.imgur.com/Yk6oXbH.png)]]

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/10931#comment:68>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list