Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#50072 new defect (bug)

Users with email addresses containing a single quote cannot reset their passwords

Reported by: danieleperilli's profile daniele.perilli Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 5.4
Component: Users Keywords: needs-patch needs-unit-tests
Focuses: Cc:


I just found that users with a single quote in their email addresses cannot reset their passwords.
This happens because there is a difference in the email addresses compared by the wp_insert_user() function.

Take a look at this example.
I have a user with an email address equal to daniel.o'brian@…
When he tries to reset his password, he receives the reset key, but his activation key is not stored in the database.
Looking at lines 1805-1808 of the file users.php I found the problem:

         if ( $update ) {
		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
			$data['user_activation_key'] = '';

In the above code the variable $user_email is daniel.o'brian@…, but the $old_user_data->user_email is escaped and appears to be daniel.o\'brian@…, so there isn't the match and user activation key is cleared.

Can you confirm and provide a fix?
In the meantime, I can change this behavior by escaping the $user_email myself in the filter wp_pre_insert_user_data which is a few lines above the checking, I guess.


Change History (2)

#1 @daniele.perilli
4 years ago

Sorry, I inverted the values of the two variables:
$user_email is escaped = daniel.o\'brian@…
$old_user_data->user_email is not escaped = daniel.o'brian@…

#2 @SergeyBiryukov
4 years ago

  • Keywords needs-patch needs-unit-tests added
Note: See TracTickets for help on using tickets.