Make WordPress Core

Opened 16 months ago

Last modified 16 months ago

#58916 new defect (bug)

Wrong User Password Reset

Reported by: dappelman's profile dappelman Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.2
Component: Security Keywords:
Focuses: Cc:

Description

We have a lot of users in our database. We occasionally have users in our database that have similar usernames, for instance: 'user 1' and 'user1'.

When a password needs to be reset via the e-mail reset link, sometimes the user_activation_key is populated for the wrong user when it was intended for 'user 1', it will be populated for 'user1' or the other way around.

They all have different user nicenames and e-mail addresses, but there must be some sanitizing going on with the username and password resets that is making similar but different usernames not technically unique.

Change History (3)

#1 @Otto42
16 months ago

  • Focuses multisite removed
  • Severity changed from major to normal

How do you know it's not simply a typo? Users can mistype their username, for example.

Basically, what information do you have that indicates that it's a mistake in the code rather than a mistake by the user?

#2 follow-up: @dappelman
16 months ago

I can reproduce this on my live site, which is a multisite install through the admin section, so it's not a matter of a user typing in the wrong username.

If I have two users:

1234 (user 1)
6789 (user1)

And I click wp-admin/users.php?action=resetpassword&users=1234&_wpnonce=xxxxxxx

It sets the user_activation_key for id 6789.

I wonder if there is any relation to this old ticket, since technically spaces should be sanitized from multi-site installs, but our site was converted to multisite quite a while after the site was started:

https://core.trac.wordpress.org/ticket/17904

#3 in reply to: ↑ 2 @Otto42
16 months ago

Replying to dappelman:

If I have two users:

1234 (user 1)
6789 (user1)

What are these fields? Can you describe it in a way that it's easily reproducible on a WordPress site?

Note: See TracTickets for help on using tickets.