[wp-trac] [WordPress Trac] #44347: WP allows creating username that is already used email address

WordPress Trac noreply at wordpress.org
Sat Feb 7 09:04:11 UTC 2026 

#44347: WP allows creating username that is already used email address
-------------------------------------------------+-------------------------
 Reporter:  phillipburger                        |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Users                                |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch dev-feedback 2nd-opinion   |     Focuses:
  needs-unit-tests changes-requested             |
-------------------------------------------------+-------------------------
Changes (by ozgursar):

 * keywords:  has-patch dev-feedback 2nd-opinion needs-testing needs-unit-
     tests => has-patch dev-feedback 2nd-opinion needs-unit-tests changes-
     requested


Comment:

 == Patch Testing Report

 Patch Tested:
 https://core.trac.wordpress.org/attachment/ticket/44347/44347.wp-
 includes.user.php.diff

 === Environment
 - WordPress: 7.0-alpha-61215-src
 - PHP: 8.2.29
 - Server: nginx/1.29.4
 - Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
 - Browser: Chrome 144.0.0.0
 - OS: macOS
 - Theme: Twenty Twenty-Five 1.4
 - MU Plugins: None activated
 - Plugins:
   * Code Snippets 3.9.5
   * Test Reports 1.2.1

 === Steps taken
 1. Create a user with `john_doe` username and `john at example.com` email
 adress
 2. Try to register with a new user having `john at example.com` as username
 and `different at example.com` email.
 3. This succeeds and now logging in with "john at example.com" logs you in as
 user2, not user1
 4. Remove user2 with the `john at example.com` as username
 5. Apply the patch
 6. ✅ Patch is solving the problem

 === Expected result
 - Patch avoids a new users to use an email as username that is registered
 as some other users' email. I get the following error as seen in
 screenshots:

 `ERROR: This username is invalid because it is already the email address
 of another account.`

 === Additional Notes
 - I can still bypass this check if I programmatically add the users
 instead of using `register_new_user()`

 For example the following code still works and both users are created even
 after applying the patch.


 {{{
 // Create first user
 $user1 = wp_create_user('john_doe', 'password123', 'john at example.com');

 // Create second user - using first user's email as the username
 $user2 = wp_create_user('john at example.com', 'password456',
 'different at example.com');
 // This still succeeds!
 }}}

 So, the patch needs to be extended to cover all cases/functions that allow
 user creation.
 Thus, I added `changes-requested`.


 === Screenshots/Screencast with results
 Before:
 [[Image(https://i.imgur.com/p0FPqx3.png)]]

 After:
 [[Image(https://i.imgur.com/POHSizN.png)]]

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44347#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list