Wrong User Password Reset

[dappelman]

We have a lot of users in our database. We occasionally have users in our database that have similar usernames, for instance: 'user 1' and 'user1'.

When a password needs to be reset via the e-mail reset link, sometimes the user_activation_key is populated for the wrong user when it was intended for 'user 1', it will be populated for 'user1' or the other way around.

They all have different user nicenames and e-mail addresses, but there must be some sanitizing going on with the username and password resets that is making similar but different usernames not technically unique.

[Otto42]

How do you know it's not simply a typo? Users can mistype their username, for example.

Basically, what information do you have that indicates that it's a mistake in the code rather than a mistake by the user?

[dappelman]

I can reproduce this on my live site, which is a multisite install through the admin section, so it's not a matter of a user typing in the wrong username.

If I have two users:

1234 (user 1)
6789 (user1)

And I click wp-admin/users.php?action=resetpassword&users=1234&_wpnonce=xxxxxxx

It sets the user_activation_key for id 6789.

I wonder if there is any relation to this old ticket, since technically spaces should be sanitized from multi-site installs, but our site was converted to multisite quite a while after the site was started:

https://core.trac.wordpress.org/ticket/17904

[Otto42]

Replying to dappelman:

If I have two users:

1234 (user 1)
6789 (user1)

What are these fields? Can you describe it in a way that it's easily reproducible on a WordPress site?

[johnbillion]

I'll close this off as there hasn't been any feedback since the issue was reported. If you have any further information about how exactly to reproduce the problem, feel free to comment further here.