[wp-trac] [WordPress Trac] #57394: wp_insert_user allows the new user to have a username equal to an already registered email

WordPress Trac noreply at wordpress.org
Fri May 30 22:59:11 UTC 2025 

#57394: wp_insert_user allows the new user to have a username equal to an already
registered email
-------------------------------------------------+-------------------------
 Reporter:  buutqn                               |       Owner:  audrasjb
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Login and Registration               |     Version:  6.1.1
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch changes-requested needs-   |     Focuses:
  unit-tests                                     |
-------------------------------------------------+-------------------------
Changes (by SirLouen):

 * keywords:  has-patch has-unit-tests needs-testing changes-requested =>
     has-patch changes-requested needs-unit-tests


Comment:

 == Additional Test Report
 === Description
 ❌ This report can't validate that the indicated patch works as expected.

 Patch tested: https://github.com/WordPress/wordpress-
 develop/pull/5032.diff

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.28
 - Server: nginx/1.27.5
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
 - Browser: Chrome 137.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Twenty-One 2.5
 - MU Plugins: None activated
 - Plugins:
   * Test Reports 1.2.0

 === Testing Steps (New Scenario)
 1. Create a user with username: test at test.com and email test at bar.com
 2. Create a user with username: foo and email foo at bar.com
 3. Edit the user foo and change the email to test at test.com
 4. 🐞 Email can be set to the username of the first user.

 === Expected Results
 - Impossible to have the same email to an username

 === Actual Results
 1. ❌ Issue is not resolved with patch.

 === Additional Notes

 - I have not repeated the on creation tests because we have already
 multiple reports.

 - Capitalizing on the
 [https://core.trac.wordpress.org/ticket/57394#comment:50 comment by
 Tonya], @costdev suggested that extra things should be checked, both in
 the patch and the unit tests. At this moment, we are are only accounting
 for creation, but not for editing. Citing costdev:

     We only allow updating if:
     Context: Updating with a unique username
     The username doesn't exist
     Context: Updating with a unique email address
     The email address doesn't exist
     Context: Updating a user without changing the username or email
 address
     The username exists, but for the same user.
     The email address exists, but for the same user.
     Context: Updating a user to make the username and email address match
     The username exists as an email address, but it's for the same user.
     The email address exists as a username, but it's for the same user.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57394#comment:54>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list