save_post hook fires on password reset?

[Dudo]

Hello, I've just find out that on password reset, the [save_post]​https://developer.wordpress.org/reference/hooks/save_post/ hook is invoked.

Of course, this can be easily fixed if is_admin() is used.
But, still, this should never run on wp-login.php?action=lostpassword

To reproduce, just install this little plugin and then try to do a password reset

<?php
/*
Plugin Name: Test
Plugin URI: url
Description: Just a test
Author: Dario Curvino
Version: 1.0.0
Author URI: http://dariocurvino.it
*/

//Using is_admin() will fix this

//if(is_admin()) {
    add_action('save_post', static function () {
        if (!current_user_can('edit_posts') ) {
            wp_die('Why am I here?');
        }
    });
//}

[Dudo]

I found out why thanks to the help of Luca Stellone in the Italian wp community chat:
save_post was invoked by the plugin I used to send email, when this is disabled, save_post is not called

[SergeyBiryukov]

Hi there, welcome back to WordPress Trac!

Thanks for the follow-up! Glad you were able to identify the issue.