Ticket #42183: 42183.2.patch

src/wp-includes/user.php

@@ -1820 +1820 @@
         // Escape data pulled from DB.
         $user = add_magic_quotes( $user );
 
-        if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
-                // If password is changing, hash it now
-                $plaintext_pass = $userdata['user_pass'];
+        if ( ! empty( $userdata['user_pass'] ) && ! wp_check_password( $userdata['user_pass'], $user_obj->user_pass, $ID ) ) {
+
+                // Used downstream to clear cookies.
+                $changed_password = true;
+
+                // wp_insert_user() expects new password to be hashed already.
                 $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
 
                 /**
@@ -1993 +1996 @@
         // Update the cookies if the password changed.
         $current_user = wp_get_current_user();
         if ( $current_user->ID == $ID ) {
-                if ( isset($plaintext_pass) ) {
+                if ( isset($changed_password) ) {
                         wp_clear_auth_cookie();
 
                         // Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.