Skip to content

Remove Store Subscriber Email as ID#1137

Merged
n7studios merged 2 commits into
restrict-content-tags-require-loginfrom
remove-store-subscriber-email-as-id-in-cookie
Jul 17, 2026
Merged

Remove Store Subscriber Email as ID#1137
n7studios merged 2 commits into
restrict-content-tags-require-loginfrom
remove-store-subscriber-email-as-id-in-cookie

Conversation

@n7studios

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #1136 which required signed subscriber IDs for tag-restricted content.

Removes the kit/v1/subscriber/store-email-as-id-in-cookie REST API endpoint and the related JS that called it on Kit Form submissions to store the submitted email address' subscriber ID as a cookie. The endpoint was flagged in the reported vulnerability as an unauthenticated identity lookup: an attacker knowing a subscriber's email could obtain their numeric subscriber ID and set the ck_subscriber_id cookie without proof of email ownership.

After #1136, that numeric ID can no longer be used to bypass gated content. However, it can still be used for:

  • Custom Content shortcode: displays personalised content based on a subscriber's tags
  • Add a Tag on visit: tags the visitor when they view a Page/Post/CPT with the setting enabled

An attacker able to forge a subscriber identity via this endpoint could therefore view another subscriber's personalised Custom Content, and self-add to any tag the creator uses for "Add a Tag on visit" (potentially triggering unintended automations).

Removing the endpoint eliminates this residual identity-forging vector while preserving the primary way numeric subscriber IDs are populated - via the ck_subscriber_id URL parameter included in Kit email links. Creators using inline Kit forms without redirects will lose immediate personalisation on that same page view; personalisation continues to work on subsequent visits via email link.

If removing this functionality causes creator issues, it can safely be reinstated. At this stage, preferring signed subscriber IDs wherever possible is the more defensible position.

Testing

Removed Integration tests that exercised the removed REST endpoint (RESTAPITest, RESTAPIRestrictContentTest) and the EndToEnd Cest (SubscriberEmailToIDOnFormSubmitCest) that verified the JS flow.

Checklist

@n7studios n7studios self-assigned this Jul 15, 2026
@n7studios n7studios added the bug label Jul 15, 2026
@github-actions

Copy link
Copy Markdown

WordPress Playground

🚀 Your PR has been built and is ready for testing in WordPress Playground!

Click here to test your changes in WordPress Playground

@n7studios
n7studios requested review from a team, ciccio-kit and noelherrick and removed request for a team July 16, 2026 08:38
@n7studios
n7studios marked this pull request as ready for review July 16, 2026 08:39
@n7studios
n7studios merged commit 2694afd into restrict-content-tags-require-login Jul 17, 2026
264 of 269 checks passed
@n7studios
n7studios deleted the remove-store-subscriber-email-as-id-in-cookie branch July 17, 2026 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants