Security risk Nicename update when profile is loaded by Super-Admin

  • Resolved Nikelaos

    (@nikelaos)


    2 years, 3 months ago

    That WP sets the user_nicename with the username is a security risk.

    I tried several plugins, but at some point the username showed up again as nicename.

    Then I manipulated the nicename directly in the DB.

    At some point that was overwritten again as well.

    As far as I have found out now, the nicename is already reset to the username when a user profile is displayed.

    Thus it is only conditionally possible to determine the nicename itself.

    But this is dangerous from a security point of view. By briefly activating the author contributions in the sitemap, two usernames have now fallen into the hands of people who certainly have nothing good in mind: Wordfence reports attacks with these two usernames since then.

    In my opinion, it should be immediately ensured that the nicename itself can be determined and is different from the username.

    Edit:
    Further testing has now shown: The change does not happen when the own profile is edited. If I load another user’s profile as Super-Admin, the nicename is overwritten when loading.

    • This topic was modified 2 years, 3 months ago by Nikelaos.
Viewing 2 replies - 1 through 2 (of 2 total)

  • That WP sets the user_nicename with the username is a security risk.

    … In my opinion, it should be immediately ensured that the nicename itself can be determined and is different from the username.

    That’s your opinion, but many people disagree with that.

    WordPress being a publishing platform not unlike platforms like Twitter, I personally consider a WordPress username the same way I view my Twitter handle or email address: at best I may consider it private information (if I so wish), but I certainly don’t consider it a security risk whenever I hand these to someone or even publish it openly online.

    Here’s a more coherent argument from the fine folks at Drupal: Disclosure of usernames and user IDs is not considered a weakness

    Good luck!

    Thread Starter Nikelaos

    (@nikelaos)

    Now it seems not to be a core problem. With another multisite installation I can’t see the described behavior.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security risk Nicename update when profile is loaded by Super-Admin’ is closed to new replies.