[wp-trac] [WordPress Trac] #63125: Let hidden if an email address is registered on the website
WordPress Trac
noreply at wordpress.org
Wed Mar 19 08:28:33 UTC 2025
#63125: Let hidden if an email address is registered on the website
------------------------------------+-----------------------------
Reporter: SGr33n | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: trunk
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Hi,
The password recovery method expected for WordPress allows a malicious
user to know if an email address is registered on the website.
Infact if you use the password lost feature, if you enter a non existent
email address the error is "Error: There is no account with that username
or email address"... so you could tests an amount of email addresses and
discover which one is registered on the website.
In my opinion it could be better to have in every condition a generic
message like "If the entered email address is on our database you will
recive an email with the instructions to reset your password".
Eventually I might take care of this enhancement.
Thanks :)
P.S. This is also related to the paragraph "Why did I get this “Password
Reset” email?" on https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63125>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list