WordPress.org

Make WordPress Core

Opened 19 months ago

Last modified 11 months ago

#38898 reopened defect (bug)

Lost password form not working with plugins that rename login URL

Reported by: Kent Brockman Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.6.1
Component: Users Keywords: needs-patch
Focuses: administration, multisite Cc:

Description

When any given user, belonging to any given site, within a Multisite environment, try to recover its password, AND IF any security plugin which renamed the login URL is in place, the submission of that lost password form will fail because the action form has the wp-login.php URL hardcoded within. It should submit the form to the same URL you are currently on.

You can refer to this support thread to learn more: https://wordpress.org/support/topic/bug-found-lost-password-form-outputting-incorrect-action-url-under-multisite/

So, the submit form URL at wp-login.php file should be outputted programatically rather than hardcoded.

Best regards Marcelo

Change History (8)

#1 @MaximeCulea
19 months ago

  • Keywords needs-patch added

Hi @Kent Brockman, thx for the report !

Last edited 11 months ago by MaximeCulea (previous) (diff)

#2 @jesperb
15 months ago

Is this bug still on the radar?

Addition to the report: The "forgot password" link below the login form goes to the main site's URL and not the current site. And as stated above, the URL specified in the action of the form on both "forgot password" and "reset password" forms are posted to the main site as well as using "wp-login.php" instead of the changed path.

#3 @lukecavanagh
15 months ago

@jesperb

Looks like the current line in core for wp-login.php for the lost password.

https://github.com/WordPress/WordPress/blob/master/wp-login.php#L535

<form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">

So it will still go to the main site of the current network, not back to the subsite. https://codex.wordpress.org/Function_Reference/network_site_url

#4 @lukecavanagh
15 months ago

Seems like there is a related core ticket for this #21352

Current workaround seems to be this. https://gist.github.com/eteubert/293e07a49f56f300ddbb

Last edited 15 months ago by lukecavanagh (previous) (diff)

#5 @lukecavanagh
15 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Was not a duplicate of #21352.

Last edited 15 months ago by lukecavanagh (previous) (diff)

#6 follow-up: @lukecavanagh
15 months ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

#7 in reply to: ↑ 6 ; follow-up: @Kent Brockman
15 months ago

Replying to lukecavanagh: Luke, this ticket is not a duplicate, because beyond the issues on #21352, this one is requesting the site to respect the login URL when it's not defaulted to wp-login.php. Thanks

#8 in reply to: ↑ 7 @lukecavanagh
15 months ago

Yep I know, my mistake. Replying to Kent Brockman:

Replying to lukecavanagh: Luke, this ticket is not a duplicate, because beyond the issues on #21352, this one is requesting the site to respect the login URL when it's not defaulted to wp-login.php. Thanks

Note: See TracTickets for help on using tickets.