[wp-trac] [WordPress Trac] #57639: Don't reveal and show admin email address in "changed email address" template to low permission user roles - Privacy issue
WordPress Trac
noreply at wordpress.org
Sun May 31 15:17:57 UTC 2026
#57639: Don't reveal and show admin email address in "changed email address"
template to low permission user roles - Privacy issue
-------------------------+------------------------------
Reporter: ReneHermi | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 6.1.1
Severity: major | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by masteradhoc):
@ReneHermi Thanks for the ticket! I agree this is definitely not optimal.
The intent behind including the admin email is understandable — giving
users a way to report unauthorized password changes — but it is
unnecessary. `###SITENAME###` and `###SITEURL###` are already present in
the same template, so users can simply visit the site and use the official
contact channel. We also can't assume the admin email belongs to someone
who can handle end-user support; it could be a technical administrator, an
agency, or another party who may not be the right point of contact.
Proposed fix: remove `###ADMIN_EMAIL###` from the email template string
and its corresponding substitution in `wp_update_user()`. The line would
simply read "please contact the Site Administrator" — no email exposed, no
functional information lost. This is a minimal, low-risk change.
I'll provide a patch soon.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57639#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list