[wp-trac] [WordPress Trac] #38334: Login: Pass the `$user_data` object as a parameter to the `lostpassword_post` hook
WordPress Trac
noreply at wordpress.org
Wed Apr 3 20:10:27 UTC 2019
#38334: Login: Pass the `$user_data` object as a parameter to the
`lostpassword_post` hook
-------------------------------------------------+-------------------------
Reporter: pagewidth | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Login and Registration | Version:
Severity: normal | Resolution:
Keywords: good-first-bug has-patch needs- | Focuses:
refresh |
-------------------------------------------------+-------------------------
Comment (by kkarpieszuk):
I think nothing has to be changed here at all (the ticket could be closed
without applying any patch).
Please see that inside of the function retrieve_password(), the $user_data
is generated (if it is really generated, as @johnbillion correctly pointed
out) from $_POST data and nothing else.
So, whoever would utilize this lostpassword_post action in his plugin or
theme, has complete access to the same $_POST values and can run
get_user_by() on them to get user data.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38334#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list