WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#38898 reopened defect (bug)

Lost password form not working with plugins that rename login URL

Reported by: Kent Brockman Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.6.1
Component: Users Keywords: needs-patch
Focuses: administration, multisite Cc:
PR Number:

Description

When any given user, belonging to any given site, within a Multisite environment, try to recover its password, AND IF any security plugin which renamed the login URL is in place, the submission of that lost password form will fail because the action form has the wp-login.php URL hardcoded within. It should submit the form to the same URL you are currently on.

You can refer to this support thread to learn more:
https://wordpress.org/support/topic/bug-found-lost-password-form-outputting-incorrect-action-url-under-multisite/

So, the submit form URL at wp-login.php file should be outputted programatically rather than hardcoded.

Best regards
Marcelo

Change History (8)

#1 @MaximeCulea
3 years ago

  • Keywords needs-patch added

Hi @Kent Brockman,
thx for the report !

Last edited 2 years ago by MaximeCulea (previous) (diff)

#2 @jesperb
3 years ago

Is this bug still on the radar?

Addition to the report:
The "forgot password" link below the login form goes to the main site's URL and not the current site. And as stated above, the URL specified in the action of the form on both "forgot password" and "reset password" forms are posted to the main site as well as using "wp-login.php" instead of the changed path.

#3 @lukecavanagh
3 years ago

@jesperb

Looks like the current line in core for wp-login.php for the lost password.

https://github.com/WordPress/WordPress/blob/master/wp-login.php#L535

<form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">

So it will still go to the main site of the current network, not back to the subsite.
https://codex.wordpress.org/Function_Reference/network_site_url

#4 @lukecavanagh
3 years ago

Seems like there is a related core ticket for this #21352

Current workaround seems to be this.
https://gist.github.com/eteubert/293e07a49f56f300ddbb

Last edited 3 years ago by lukecavanagh (previous) (diff)

#5 @lukecavanagh
3 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Was not a duplicate of #21352.

Last edited 3 years ago by lukecavanagh (previous) (diff)

#6 follow-up: @lukecavanagh
3 years ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

#7 in reply to: ↑ 6 ; follow-up: @Kent Brockman
3 years ago

Replying to lukecavanagh:
Luke, this ticket is not a duplicate, because beyond the issues on #21352, this one is requesting the site to respect the login URL when it's not defaulted to wp-login.php.
Thanks

#8 in reply to: ↑ 7 @lukecavanagh
3 years ago

Yep I know, my mistake.
Replying to Kent Brockman:

Replying to lukecavanagh:
Luke, this ticket is not a duplicate, because beyond the issues on #21352, this one is requesting the site to respect the login URL when it's not defaulted to wp-login.php.
Thanks

Note: See TracTickets for help on using tickets.