WordPress.org

Make WordPress Core

Opened 10 months ago

Last modified 9 months ago

#45830 new defect (bug)

wp_update_user does not use the pluggable wp_set_password to change a user password

Reported by: couling Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.0.2
Component: Users Keywords: has-patch
Focuses: Cc:
PR Number:

Description

wp_update_user does not use the pluggable wp_set_password to change a user password and instead updates it directly in the DB.

This means that any plugin replacing wp_set_password will be incorrectly bypassed. It directly means the reset_password hook is skipped.

The comment at the start of wp_update_user should also be removed as it encourages bad behaviour:

 * It is possible to update a user's password by specifying the 'user_pass'
 * value in the $userdata parameter array.

I would suggest a simple code fix. Replace this:

    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
        // If password is changing, hash it now
        $plaintext_pass = $userdata['user_pass'];
        $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );

with this:

    if ( ! empty( $userdata['user_pass'] )) {
        wp_set_password($userdata['user_pass'], $ID);

Attachments (1)

45830.dif (525 bytes) - added by couling 10 months ago.

Download all attachments as: .zip

Change History (3)

@couling
10 months ago

#1 @couling
10 months ago

  • Keywords has-patch added

#2 @couling
9 months ago

Apologies, my testing sucked there. I'll attach a new file just as soon as I can remove the bug that introduced.

Note: See TracTickets for help on using tickets.