Update: to be more sensitive, less finger pointing 
SECURITY RISK it requests to change email of the administrator user to admin@
THIS IS NOT EASY TO SEE AND COMPLETELY OUTRAGE CHANGE
It was after installing demo content, 100% reproducible each time you install any demo content.
now I’m really afraid of using this theme.
who should give us feedback about this situation? how to report this
screenshot:
Hi @dalzateb85,
The email address is adding from the demo export is the author admin email and requesting you to change the email with your own one. So, you should to change the email with your one after finish the demo export.
If you need any support or have any query contact the author of your purchased theme, the theme author will assist you.
How to contact an author to get support or for any technical query:
Thanks
Hi,
thanks for the feedback.
I understand and I’m technical enough to see what it is happening.
Unfortunately, this issue is a really big security flaw. If it takes you long enough to cancel that, they can technically take over your WP site.
Today we can trust them, tomorrow? Living int he world we are living today, there is not excuse for this type of solution. even if not wrong doing is on the making.
I trusted envato for my theme buying and the veto that they are applying here… this is telling me otherwise, and I expect a downgrade on the vendor/author and a proper way to see that envato is pursuing this with their authors.
You have posted twice in 2 forum topics claiming that Envato and authors (in this case a well respected author) does not take security seriously. Looking at your posts you seem to be implying that the demo content import on the General Settings would be sufficient to compromise your Wordpress admin but I don’t agree. The General Settings would only come into force when you applied them, and in this case I believe the section you are quoting is to with electronic email - not giving someone access to your wordpress admin area.
See @mgscoder reply!
hi,
indeed… I’d posted in two different post… I don’t see the harm on it if speaking about security.
my apologies if I’d touch sensitive topics (envato and respected author) but it doesn’t take away my findings. I would, in the same respectful matter, to get a valid answer
I’m looking in the web what the policies are for security, I hardly find anything, reason for coming to the portal… in order to understand this and make it easy for people that might not have the opportunity to understand what it is happenings.
I welcome you to do the testing. Change the email in your Setting >> General and press save. that is the moment the level appears and automatically and email is sent to that email (this I must say it is a big security flaw in WP itself) since the email goes to the new email and the old one doesn’t get any notice of the change. I did the test myself and I was able to change admin owner just like that.
but I thanks for your answer, looking forward to heard a better explanation on the security concern that I’m raising here.
Hi,
I need to own my mistake here… it doesn’t look like you can easily gain access as admin by changing the email in this general session.
however, it is still a security risk since any email from the site will be coming as if from this email. (from what I read and understand here). so this issue can still be exploited in a given way.
so again, I might had taken things in the wrong way… and definitely taken worse than I had expected. I’m only looking into getting a better experience from those of us that lack a lot more technical knowledge… which is the aim of any forum
Hi @dalzateb85,
In general settings admin email should not change for demo export, should remain your first installation email id (admin). But as you are reporting in your case you face such an issue, then there can be any reason/necessity for the demo export. To get an perfect answer you should ask this directly to the theme author. They an give you the right explanation and will assist you for any query.
Thanks
Thanks @mgscoder they said that it is due to a plunging they are using: “…Unyson plugin where this plugin using over 1 million websites to install demo content”
Not a theme issue after all…. But I guess they should take solve it, in their best interest.
Thanks a lot for your help
I think we all agree that security is an important issue for any hosted script and I do understand why you have pointed this out. These forums are here to help, and there are many forum users who will always be glad to advise and make suggestions, comments etc. Take care and see you in 2022.
