[wp-trac] [WordPress Trac] #63927: Send email notification when an application password is added
WordPress Trac
noreply at wordpress.org
Thu Sep 4 14:34:06 UTC 2025
#63927: Send email notification when an application password is added
-----------------------------------+-----------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version:
Severity: normal | Keywords: needs-patch
Focuses: |
-----------------------------------+-----------------------------
When the account password or email address of a user is changed (either by
the user themselves or by an administrator) an email gets sent to the
email address of the user informing them of the change. This email helps
prevent a user account takeover from going unnoticed.
No such email is sent when an application password is added to a user's
account. An application password is almost as privileged as the user's
main password as it can be used to perform actions via the REST API, even
though it can't be used to log in to wp-admin.
An email should be sent to the user when an application password is added
to their account. If the creation of the application password is
unexpected then this informs the user about it.
Web services such as GitHub send an email to a user informing them about
newly granted access to their account for third party apps. The wording of
the email sent by WordPress could be similar, framing it as an app now
having access via a newly created application password. One important
difference is that the name of the application password is controlled by
the user adding the password, unlike services where a third party app is
prohibited from using a name that might imply that it's a first party
connection. If an attacker adds an application password with the name
"WordPress" or the name of the site itself, it would be confusing for the
user to receive an email which says "WordPress now has access to your user
account".
That's a long way of saying that we need to be careful of how this email
is phrased.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63927>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list