Opened 16 months ago
Last modified 16 months ago
#58916 new defect (bug)
Wrong User Password Reset
Reported by: | dappelman | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.2 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
We have a lot of users in our database. We occasionally have users in our database that have similar usernames, for instance: 'user 1' and 'user1'.
When a password needs to be reset via the e-mail reset link, sometimes the user_activation_key is populated for the wrong user when it was intended for 'user 1', it will be populated for 'user1' or the other way around.
They all have different user nicenames and e-mail addresses, but there must be some sanitizing going on with the username and password resets that is making similar but different usernames not technically unique.
Change History (3)
#2
follow-up:
↓ 3
@
16 months ago
I can reproduce this on my live site, which is a multisite install through the admin section, so it's not a matter of a user typing in the wrong username.
If I have two users:
1234 (user 1)
6789 (user1)
And I click wp-admin/users.php?action=resetpassword&users=1234&_wpnonce=xxxxxxx
It sets the user_activation_key for id 6789.
I wonder if there is any relation to this old ticket, since technically spaces should be sanitized from multi-site installs, but our site was converted to multisite quite a while after the site was started:
How do you know it's not simply a typo? Users can mistype their username, for example.
Basically, what information do you have that indicates that it's a mistake in the code rather than a mistake by the user?