[wp-trac] [WordPress Trac] #42183: wp_update_user() conditional compares a plain-text password to the hashed old
WordPress Trac
noreply at wordpress.org
Wed Oct 11 14:20:03 UTC 2017
#42183: wp_update_user() conditional compares a plain-text password to the hashed
old
--------------------------+-----------------------------
Reporter: yudge | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 4.5.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In file wp-includes/user.php, function
[https://developer.wordpress.org/reference/functions/wp_update_user/
wp_update_user()]
On line 1767:
{{{
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !==
$user_obj->user_pass)
}}}
The second conditional is comparing a plain-text password to a hashed
version of password, so this would almost always evaluate to true except
for the case where the new password itself matches the old hashed
password. This block will then evaluate to false and therefore password
itself won't be updated. It's a rare case but the logic here is incorrect.
And obviously this code block would run when passwords are the same since
it's comparing plain-text to the hashed version.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42183>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list