Make WordPress Core

Opened 3 weeks ago

Last modified 4 days ago

#62485 new defect (bug)

Lost Password form action URL is not using wp_lostpassword_url

Reported by: talextech's profile talextech Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description

Lost Password form action URL is set by

<?php
echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) );

Because of this, if lostpassword_url filter is used the lost password form will no longer work. So ideally the action should be set to:

<?php
echo esc_url( wp_lostpassword_url($redirect_to) );

Attached is the updated wp-login.php file with the action URL changed on line 896

Attachments (1)

wp-login.php (50.1 KB) - added by talextech 3 weeks ago.
updated form action at line 896

Download all attachments as: .zip

Change History (6)

@talextech
3 weeks ago

updated form action at line 896

This ticket was mentioned in PR #7850 on WordPress/wordpress-develop by @sainathpoojary.


3 weeks ago
#1

  • Keywords has-patch added

This PR updates the Lost Password form action in wp-login.php to use wp_lostpassword_url() instead of network_site_url(). This change ensures compatibility with the lostpassword_url filter, allowing for greater flexibility in customizing the URL.

### URL before changes:
https://github.com/user-attachments/assets/7371b40f-a7ee-42bf-8b53-d40104ec4002

### URL after changes:
https://github.com/user-attachments/assets/f9ab85f9-657d-4fb4-bf44-1933bfad1f32

---
Trac ticket: #62485

#2 @sabernhardt
3 weeks ago

  • Component changed from General to Login and Registration

#3 @parthvataliya
3 weeks ago

Nice catch @talextech!

The wp-login.php file has a set of default actions that determine how the page behaves. If a request is made with an action outside of these defaults, the page redirects to the login page. The current list of default actions includes:

$default_actions = array(  
    'confirm_admin_email',  
    'postpass',  
    'logout',  
    'lostpassword',  
    'retrievepassword',  
    'resetpass',  
    'rp',  
    'register',  
    'checkemail',  
    'confirmaction',  
    'login',  
    WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED,  
);  

To resolve this issue, we need to either update the $default_actions array to include the desired custom actions or remove the lostpassword_url filter to prevent redirection.

#4 @talextech
3 weeks ago

  • Severity changed from normal to minor

Well, you don't necessarily need a new action. You could have just customized the login URL.

But after going over it a bit more, changing anything here might be more work than it's worth, involve way too many edge cases and potentially breaking 3rd party code.

  1. The same issue applies to the registration form which also has the registraion URL hardcoded.
  2. If you just filter site_url and network_site_url and replace wp-login.php there it should achieve customizing the login URL just as well.
  3. If we change the action URL for registration and lost password we would still be using site_url() in other places and things won't be uniform anymore.

So unless anyone else thinks there's something worth pursuing here I guess this ticket can be closed. I wanted a core contribution 😁 but this isn't something that needs any fix.

@rinkalpagdar commented on PR #7850:


4 days ago
#5

hello @SainathPoojary
Can you please elaborate on what this PR changed in the login form?

Note: See TracTickets for help on using tickets.