Opened 4 years ago
Last modified 4 years ago
#45830 new defect (bug)
wp_update_user does not use the pluggable wp_set_password to change a user password
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 5.0.2 |
| Component: | Users | Keywords: | has-patch |
| Focuses: | Cc: |
Description
wp_update_user does not use the pluggable wp_set_password to change a user password and instead updates it directly in the DB.
This means that any plugin replacing wp_set_password will be incorrectly bypassed. It directly means the reset_password hook is skipped.
The comment at the start of wp_update_user should also be removed as it encourages bad behaviour:
* It is possible to update a user's password by specifying the 'user_pass' * value in the $userdata parameter array.
I would suggest a simple code fix. Replace this:
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
// If password is changing, hash it now
$plaintext_pass = $userdata['user_pass'];
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
with this:
if ( ! empty( $userdata['user_pass'] )) {
wp_set_password($userdata['user_pass'], $ID);
Attachments (1)
Note: See
TracTickets for help on using
tickets.
Apologies, my testing sucked there. I'll attach a new file just as soon as I can remove the bug that introduced.