The bug allows to see the name(s) of a user(s) who has replied to a comment (not yet authorized).

[fasuto]

1.- Have a fresh installation of WordPress in its latest version, which comes with a default entry.

2.- Go to the entry and make a comment

3.- The bug, in the navigation bar the following url is placed: ​http://bug.test/2021/08/19/hola-mundo/?replytocom=2#respond obtaining the response with the username

4.- The comment has not been approved and you can display the user who made it, you can use a script that starts at one and is incremental and you can get the list of users who have made a response to the entry and have not been approved.

Tests performed:

1. Tested on a WordPress site with Cloudflare protection.
2. Tests have been performed on WordPress with SSL certificates.

[peterwilsoncc]

Hello @fasuto and welcome to trac.

Thank you for your report, I am able to reproduce the bug.

It appears to have been introduced in version 2.7 of WordPress, so I've updated the version field of your report to indicate when the bug first appeared.

---

Notes:

comment_form_title() passes the value of the replytocom querystring parameter to get_comment(). comment_form_title() then uses the parent comment author's name in the title without verifying whether or not the comment has been approved.

The same is true for get_comment_id_fields().

[fasuto]

Hello @peterwilsoncc

Hi thanks for replying, the bug could allow a security breach by listing the users commenting on the post, I wanted to report it by hacker one but couldn't, I hope it can be fixed.

Replying to peterwilsoncc:

Hello @fasuto and welcome to trac.

Thank you for your report, I am able to reproduce the bug.

It appears to have been introduced in version 2.7 of WordPress, so I've updated the version field of your report to indicate when the bug first appeared.

---

Notes:

comment_form_title() passes the value of the replytocom querystring parameter to get_comment(). comment_form_title() then uses the parent comment author's name in the title without verifying whether or not the comment has been approved.

The same is true for get_comment_id_fields().

[peterwilsoncc]

Replying to fasuto:

... the bug could allow a security breach by listing the users commenting on the post, I wanted to report it by hacker one but couldn't, I hope it can be fixed.

I thought about that and decided that it can be worked on in public in a similar way that #49956 was.

As comments (including the commenter's name) are intended to be public, I don't think there is much concern about exposing data intended to be private. The main issue here is making sure it's not exploited by spammers.

I've just moved it on to the next major release's milestone for visibility.

[fasuto]

thank you @peterwilsoncc, see you next time!

comment_form_title() and get_comment_id_fields() allows replies to unapproved comments via ?replytocom=[comment-id]#respond.

This patch checks that the comment has been approved before outputting the unapproved comment's $author and the comment_parent hidden field.

Trac ticket: https://core.trac.wordpress.org/ticket/53962

[prbot]

​peterwilsoncc commented on ​PR #1607:

Thanks for updating @costdev, it will probably be a Monday next week (Aus time) before I can pull down the branch for testing. I've set a reminder to do so then.

[prbot]

​costdev commented on ​PR #1607:

Sounds good @peterwilsoncc!

[hellofromTonya]

Reproduce/testing instructions are included in the ticket's description.

[Boniu91]

Test Report

Env

• WordPress PR1607
• Chrome 92.0.4515.159
• Windows 10
• Theme: Twenty Twenty One
• Gutenberg Editor
• Plugin: WP Downgrade

Steps tested before applying fix

1. Added new comment, which is not approved
2. Visited /2021/04/16/hello-world/?replytocom=2#respond
3. I was redirected to adding a reply to specific person (his nickname is not visible in the comment list, so is the comment), nickname of unapproved author was displayed in the reply form.

Steps tested after applying fix

1. Added new comment, which is not approved
2. Visited /2021/04/16/hello-world/?replytocom=2#respond
3. I was correctly redirected to adding a new reply, nickname of unapproved author wasn't displayed
4. Approved the comment and moved it to spam and trash and checking the behaviour in the meantime

The fix looks good to me.

[prbot]

​costdev commented on ​PR #1607:

@hellofromtonya I think that's all of the changes made if you're available for another review :-)

[hellofromTonya]

@costdev and @fasuto, I'm sorry for dropping the ball on reviewing and testing ​PR 1607. The PR is close but there are open discussions happening in it and it needs another round of thorough testing and code review. With 5.9 Beta 1 tomorrow, likely time has run out for this to ship in 5.9. Again I'm sorry for dropping the ball.

I'll move it to 6.0 and assign myself as owner to shepherd getting it completed and committed. If it does get done before Beta 1 starts, happy to pull it back into 5.9.