[wp-trac] [WordPress Trac] #45830: wp_update_user does not use the pluggable wp_set_password to change a user password
WordPress Trac
noreply at wordpress.org
Fri Jan 4 13:56:01 UTC 2019
#45830: wp_update_user does not use the pluggable wp_set_password to change a user
password
--------------------------+-----------------------------
Reporter: couling | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 5.0.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
wp_update_user does not use the pluggable wp_set_password to change a user
password and instead updates it directly in the DB.
This means that any plugin replacing wp_set_password will be incorrectly
bypassed. It directly means the `reset_password` hook is skipped.
The comment at the start of wp_update_user should also be removed as it
encourages bad behaviour:
{{{
* It is possible to update a user's password by specifying the
'user_pass'
* value in the $userdata parameter array.
}}}
I would suggest a simple code fix. Replace this:
{{{
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !==
$user_obj->user_pass ) {
// If password is changing, hash it now
$plaintext_pass = $userdata['user_pass'];
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass']
);
}}}
with this:
{{{
if ( ! empty( $userdata['user_pass'] )) {
wp_set_password($userdata['user_pass'], $ID);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45830>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list