Skip to content

Blog Transfer: User able to transfer blog to ANY WordPress.com users #55151

New issue
New issue
Open
Open
Blog Transfer: User able to transfer blog to ANY WordPress.com users#55151

Description

@retnonindya

retnonindya
openedon Aug 4, 2021

This came from a test and I'm curious so I opened a GH issue.

So! Transfer website from https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs -- we all know how to start it.

Now, I just found out that we can transfer the website to another WordPress.com user -- practically, any user on the WordPress.com. The sender (the one who initiate the transfer) received the email for confirmation, yep, and the receiver received an email address, stating that they are the new owner of the website.

Problem is, I noticed that this process can be done by the user to send the website to any WordPress.com user, regardless they registered as the user on the website (be it Admin, Editor, etc) or not.

This is from my personal test. I lurked around my test sites and I wondered if I can send one of them to my personal WordPress.com account. I initiated the transfer when I realized I haven't added my personal WordPress.com account to my test site as an Admin. I always presume I need to add the other user as Admin on the website for the transfer to proceed.

To my surprise, I found the site transferred successfully -- and I received confirmation email on my personal WordPress.com account email.

Bug or Feature Request?

I don't know if this is a bug or if we can upgrade our system/tool for this. Can we add more protection on the site transfer process? I'm afraid if this situation is being used by some folks who want to "dump" their site to another WordPress.com user.

Maybe we can add another layer of protection by ensuring:

  • The receiver must be added as a user on the website, and...
  • If the receiver is not on the site, the sender should see a warning on the Transfer Blog process. Something like: "It seems like this user is not a member on your website. Please invite them first by following the guide HERE."

Thank you in advance 🙇

Related reading

p7DVsv-9xb-p2

CC. @klimeryk -- My apologies for the ping, Igor. I noticed you are the one who handled the project 🙇 Do let me know if you need more information/testing. Thank youuu!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    TriagedTo be used when issues have been triaged.To be used when issues have been triaged.User ReportThis issue was created following a WordPress customer reportThis issue was created following a WordPress customer report[Pri] Normal[Type] Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions