Account Security Issue
-
When the settings option “Register using the email address for the username” is enabled the Checkout form has the Billing Address form
and Account password password forms. This setup allows anyone using the same email address as another WordPress user on that blog to make a purchase, which then replaces the original user’s account information with the new information, including the new password.If the settings option “Register using the email address for the username” is not enabled the the Checkout form has the Bill Address form, Account username, and Account password password forms. With the Account username in place the new user does not appear to have the ability to replace another user’s account information.
When the settings option “Register using the email address for the username” is enabled the Checkout form needs to have a Account username form field that explains an email address required for the username, and then make sure that no other existing accounts with that email address, or matching account names, have their information overwritten. This has been an issue since the “Register using the email address for the username” option was added I believe in October 2012.
- The topic ‘Account Security Issue’ is closed to new replies.
