Opened 6 years ago
Last modified 5 months ago
#45830 new defect (bug)
wp_update_user does not use the pluggable wp_set_password to change a user password
Reported by: | couling | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.0.2 |
Component: | Users | Keywords: | has-patch |
Focuses: | Cc: |
Description
wp_update_user does not use the pluggable wp_set_password to change a user password and instead updates it directly in the DB.
This means that any plugin replacing wp_set_password will be incorrectly bypassed. It directly means the reset_password
hook is skipped.
The comment at the start of wp_update_user should also be removed as it encourages bad behaviour:
* It is possible to update a user's password by specifying the 'user_pass' * value in the $userdata parameter array.
I would suggest a simple code fix. Replace this:
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { // If password is changing, hash it now $plaintext_pass = $userdata['user_pass']; $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
with this:
if ( ! empty( $userdata['user_pass'] )) { wp_set_password($userdata['user_pass'], $ID);
Attachments (1)
Change History (4)
#3
@
5 months ago
Similar to #41522 I somewhat consider this to be correct as-is, as the two functions are for different purposes, wp_set_password() is intended on being for the sync FROM another system to wp, not to sync it TO that system.
The naming, docs, and hooks could definately use some work though to make things more comparible between the two.
Apologies, my testing sucked there. I'll attach a new file just as soon as I can remove the bug that introduced.