Ticket #32430: 32430.diff

src/wp-includes/pluggable.php

@@ -1656 +1656 @@
 /**
  * Notify the blog admin of a user changing password, normally via email.
  *
+ * Notify the user of any change to their password, also via email.
+ *
  * @since 2.7.0
  *
  * @param object $user User Object
  */
 function wp_password_change_notification(&$user) {
-        // send a copy of password change notification to the admin
+        // send password change notification to the admin
         // but check to see if it's the admin whose password we're changing, and skip this
         if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
                 $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
@@ -1669 +1671 @@
                 // we want to reverse this for the plain text arena of emails.
                 $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
                 wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), $blogname), $message);
+
+        //send password change notification to the user
+        } else {
+                /* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
+                $email_text = __( 'Howdy ###USERNAME###,
+
+This notice is confirming you recently changed your password on ###SITENAME###.
+
+If you did not change your password, please contact the Site Administrator at
+###ADMIN_EMAIL###
+
+This email has been sent to ###EMAIL###
+
+Regards,
+All at ###SITENAME###
+###SITEURL###' );
+
+                /**
+                 * Filter the email text sent when the user's password is changed.
+                 *
+                 * The following strings have a special meaning and will get replaced dynamically:
+                 * ###USERNAME###    The current user's username.
+                 * ###ADMIN_EMAIL### The link to click on to confirm the email change.
+                 * ###EMAIL###       The new email.
+                 * ###SITENAME###    The name of the site.
+                 * ###SITEURL###     The URL to the site.
+                 *
+                 * @since 4.3
+                 *
+                 * @param string $email_text      Text in the email.
+                 */
+                $content = apply_filters( 'user_password_change_email_content', $email_text );
+
+                $content = str_replace( '###USERNAME###', $user->user_login, $content );
+                $content = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $content );
+                $content = str_replace( '###EMAIL###', $user->user_email, $content );
+                $content = str_replace( '###SITENAME###', get_option( 'blogname' ), $content );
+                $content = str_replace( '###SITEURL###', get_option( 'siteurl' ), $content );
+
+                wp_mail( $user->user_email, sprintf( __( '[%s] Notice of Password Change' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
         }
 }
 endif;

src/wp-includes/user.php

@@ -2121 +2121 @@
         // If password is changing, hash it now.
         if ( ! empty($userdata['user_pass']) ) {
                 $plaintext_pass = $userdata['user_pass'];
-                $userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
+                $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
         }
 
-        wp_cache_delete($user[ 'user_email' ], 'useremail');
+        wp_cache_delete( $user[ 'user_email' ], 'useremail' );
 
+        if ( $user['user_email'] !== $userdata['user_email'] ) {
+                $email_text = __( 'Howdy ###USERNAME###,
+
+This notice is confirming you recently changed your email on ###SITENAME###.
+
+If you did not change your email, please contact the Site Administrator at
+###ADMIN_EMAIL###
+
+This email has been sent to ###EMAIL###
+
+Regards,
+All at ###SITENAME###
+###SITEURL###' );
+
+                /**
+                 * Filter the email text sent when the user's email is changed.
+                 *
+                 * The following strings have a special meaning and will get replaced dynamically:
+                 * ###USERNAME###    The current user's username.
+                 * ###ADMIN_EMAIL### The link to click on to confirm the email change.
+                 * ###EMAIL###       The new email.
+                 * ###SITENAME###    The name of the site.
+                 * ###SITEURL###     The URL to the site.
+                 *
+                 * @since 4.3
+                 *
+                 * @param string $email_text      Text in the email.
+                 */
+                $content = apply_filters( 'user_email_change_email_content', $email_text );
+
+                $content = str_replace( '###USERNAME###', $user->user_login, $content );
+                $content = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $content );
+                $content = str_replace( '###EMAIL###', $user->user_email, $content );
+                $content = str_replace( '###SITENAME###', get_option( 'blogname' ), $content );
+                $content = str_replace( '###SITEURL###', get_option( 'siteurl' ), $content );
+
+                wp_mail( $user['user_email'], sprintf( __( '[%s] Notice of Email Change' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+        }
+
         // Merge old and new fields with new fields overwriting old ones.
-        $userdata = array_merge($user, $userdata);
+        $userdata = array_merge( $user, $userdata );
         $user_id = wp_insert_user($userdata);
 
         // Update the cookies if the password changed.