There is a business value to the use case pattern on many internet platforms where a confirmation email is sent, and then an encrypted or nonced link must be clicked to perform the confirmation action. The value of the features is:
The pattern confirms the user receiving the email has credential access to the receiving email account, reducing SPAM, and increasing security.
When you signup for Facebook, they send you an email with a link to confirm your account before it become active. This proves to Facebook that the recipient email is alive, and the http user requesting the account has recipient credentials for the email account.
This seams to be the intended purpose behind the admin email confirmation feature as of 4.9, as well as providing additional security to the system. My contention is that this is a confused purpose, and in fact renders WordPress LESS secure for several reasons.
Similiarity to the add user feature
When a user registers for a WordPress site, a confirmation email is sent to him from the site, to confirm the user has access to the email. This valid use case, is identical to the one used by facebook.com, described above. It is the confirmation of some information between two human groups / persons [the stakeholders of the site, and the user who is trying to register].
It is important to understand: THIS IS NOT A SECURITY FEATURE! An administrator can run arbitrary code. There is a check box available for administrators to override the outbound email:
Why can’t this emial be a true security feature?
In computer science, there is a concept called “arbitrary code”. A user who can run arbitrary code can literally do anything on the system, and can’t be restricted.
