Make WordPress Core

Opened 6 years ago

Last modified 5 months ago

#45830 new defect (bug)

wp_update_user does not use the pluggable wp_set_password to change a user password

Reported by: couling's profile couling Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.0.2
Component: Users Keywords: has-patch
Focuses: Cc:

Description

wp_update_user does not use the pluggable wp_set_password to change a user password and instead updates it directly in the DB.

This means that any plugin replacing wp_set_password will be incorrectly bypassed. It directly means the reset_password hook is skipped.

The comment at the start of wp_update_user should also be removed as it encourages bad behaviour:

 * It is possible to update a user's password by specifying the 'user_pass'
 * value in the $userdata parameter array.

I would suggest a simple code fix. Replace this:

    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
        // If password is changing, hash it now
        $plaintext_pass = $userdata['user_pass'];
        $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );

with this:

    if ( ! empty( $userdata['user_pass'] )) {
        wp_set_password($userdata['user_pass'], $ID);

Attachments (1)

45830.dif (525 bytes) - added by couling 6 years ago.

Download all attachments as: .zip

Change History (4)

@couling
6 years ago

#1 @couling
6 years ago

  • Keywords has-patch added

#2 @couling
6 years ago

Apologies, my testing sucked there. I'll attach a new file just as soon as I can remove the bug that introduced.

#3 @dd32
5 months ago

Similar to #41522 I somewhat consider this to be correct as-is, as the two functions are for different purposes, wp_set_password() is intended on being for the sync FROM another system to wp, not to sync it TO that system.

The naming, docs, and hooks could definately use some work though to make things more comparible between the two.

Note: See TracTickets for help on using tickets.