with the current situation, it is possible to enumerate wordpress usernames. when i go to the page `/account/lost-password/` i can pass in a wrong username and woocommerce will reply with an error message ‘Invalid username or email.’ if i put in a correct username/email, woocommerce will continue to a success page and trigger the send out of the reset email link. which in return spills out existing usernames. nowadays it is more common to simply continue to a neutral page that goes something along the lines of: “If your account exists, we have just sent you a recovery link.”
and for those interested, i use this tool to harden wordpress on other fronts, but just realized, that the default wordpress filters do not work here.
Open
Last updated: March 14, 2024
Log in to comment on this feature request.
For anyone who lands on this page, this can be added to your site theme like so:
add_filter( ‘woocommerce_add_error’, ‘sc_modify_wc_notice’, 10, 1 );
add_filter( ‘woocommerce_add_success’, ‘sc_modify_wc_notice’, 10, 1 );
function sc_modify_wc_notice($message) {
if ( $message == ‘Invalid username or email.’ || $message == ‘Password reset email has been sent.’ ) {
$message = ‘If email is registered, you will get a reset link.’;
}
return $message;
}