[wp-trac] [WordPress Trac] #38334: Login: Pass the `$user_data` object as a parameter to the `lostpassword_post` hook

WordPress Trac noreply at wordpress.org
Wed Apr 3 20:10:27 UTC 2019

#38334: Login: Pass the `$user_data` object as a parameter to the
`lostpassword_post` hook
 Reporter:  pagewidth                            |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Login and Registration               |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  good-first-bug has-patch needs-      |     Focuses:
  refresh                                        |

Comment (by kkarpieszuk):

 I think nothing has to be changed here at all (the ticket could be closed
 without applying any patch).

 Please see that inside of the function retrieve_password(), the $user_data
 is generated (if it is really generated, as @johnbillion correctly pointed
 out) from $_POST data and nothing else.

 So, whoever would utilize this lostpassword_post  action in his plugin or
 theme, has complete access to the same $_POST values and can run
 get_user_by() on them to get user data.

Ticket URL: <https://core.trac.wordpress.org/ticket/38334#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list