Dance the password reset tango
|Reported by:||tellyworth||Owned by:|
Here's how it goes:
- Start at wp-login.php?action=lostpassword, enter your username and click Get New Password. user_activation_key is now key1.
- Check your email. The key hasn't arrived yet.
- Go back to the lostpassword page and click Get New Password again. user_activation_key is now key2.
- The first confirmation email arrives containing key1. Click - it fails.
- Go back to the lostpassword page and click Get New Password again. user_activation_key is now key3
- The second confirmation email arrives containing key2. Click - it fails.
Repeat steps 5 and 6 and ad lib to fade.
The enclosed patch breaks the cycle by only generating a new user_activation_key at step 1. When the password is successfully reset, wp_set_password() will set user_activation_key to an empty string. If multiple activation keys are requested before the password is successfully reset (steps 3 and 5), the same key will be re-sent each time.