Make WordPress Core

Opened 5 years ago

Last modified 5 years ago

#45830 new defect (bug)

wp_update_user does not use the pluggable wp_set_password to change a user password

Reported by: couling's profile couling Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.0.2
Component: Users Keywords: has-patch
Focuses: Cc:

Description

wp_update_user does not use the pluggable wp_set_password to change a user password and instead updates it directly in the DB.

This means that any plugin replacing wp_set_password will be incorrectly bypassed. It directly means the reset_password hook is skipped.

The comment at the start of wp_update_user should also be removed as it encourages bad behaviour:

 * It is possible to update a user's password by specifying the 'user_pass'
 * value in the $userdata parameter array.

I would suggest a simple code fix. Replace this:

    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
        // If password is changing, hash it now
        $plaintext_pass = $userdata['user_pass'];
        $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );

with this:

    if ( ! empty( $userdata['user_pass'] )) {
        wp_set_password($userdata['user_pass'], $ID);

Attachments (1)

45830.dif (525 bytes) - added by couling 5 years ago.

Download all attachments as: .zip

Change History (3)

@couling
5 years ago

#1 @couling
5 years ago

  • Keywords has-patch added

#2 @couling
5 years ago

Apologies, my testing sucked there. I'll attach a new file just as soon as I can remove the bug that introduced.

Note: See TracTickets for help on using tickets.