[wp-trac] [WordPress Trac] #33209: Inviting a new user to Multisite results in password being emailed

WordPress Trac noreply at wordpress.org
Thu Jul 30 22:17:01 UTC 2015 

#33209: Inviting a new user to Multisite results in password being emailed
--------------------------+-----------------------------
 Reporter:  Ipstenu       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:  multisite     |
--------------------------+-----------------------------
 If you add a new user from a site users page (NOT the network one,
 {{{/sitename/wp-admin/user-new.php}}} ) the flow results in a password
 being emailed in plaintext.

 1) Add new user

 2) New user gets email to activate

 3) Activate link (ex. {{{example.com/sitename/wp-
 activate.php?key=5324e8cf2cef143b}}} ) shows the new password

 4) The following email is sent:

 {{{
 Howdy anotherstenu,

 Your new account is set up.

 You can log in with the following information:
 Username: anotherstenu
 Password: 78HoBi6oFSf9
 http://local.multisite-pre.dev/blarg/wp-login.php

 Thanks!

 --The Team @ Multisite Naked Sites

 }}}

 Whoops.

 It looks like this can be fixed for new sites by updating wp-includes/ms-
 functions.php, however this is set in the database on Network Activation,
 which means even changing core doesn't update the myriad sites who are
 merrily emailing out passwords because this is set (wp admin -> Network
 settings -> Welcome User Email)

 {{{
 Howdy USERNAME,

 Your new account is set up.

 You can log in with the following information:
 Username: USERNAME
 Password: PASSWORD
 LOGINLINK

 Thanks!

 --The Team @ SITE_NAME
 }}}


 The attached patch addresses new setups and doesn't break existing ones
 since I'm really not sure what's best here. I want to say we should edit
 everyone's DB and change the above block to this:

 {{{
 Howdy USERNAME,

 Your new account is set up.

 Username: USERNAME

 To set your password, visit the following address:

 <RESETLINK>

 Thanks!

 --The Team @ SITE_NAME
 }}}

 However there are myriad people who have customized that simply because
 they can, and I fear the damage of breaking them.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33209>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list