Product Icon

WooCommerce

Sell online with the flexible, customizable eCommerce platform designed to grow with your business. From your first sale to millions in revenue, Woo is with you. See why merchants trust us to power 3.4 million online stores.

prevent username enumeration

with the current situation, it is possible to enumerate wordpress usernames. when i go to the page `/account/lost-password/` i can pass in a wrong username and woocommerce will reply with an error message ‘Invalid username or email.’ if i put in a correct username/email, woocommerce will continue to a success page and trigger the send out of the reset email link. which in return spills out existing usernames. nowadays it is more common to simply continue to a neutral page that goes something along the lines of: “If your account exists, we have just sent you a recovery link.”
and for those interested, i use this tool to harden wordpress on other fronts, but just realized, that the default wordpress filters do not work here.

Author

jens buss

Current Status

Open

Last updated: March 14, 2024

0 comments

Log in to comment on this feature request.