[wp-trac] [WordPress Trac] #42183: wp_update_user() conditional compares a plain-text password to the hashed old

WordPress Trac noreply at wordpress.org
Wed Oct 11 14:20:03 UTC 2017


#42183: wp_update_user() conditional compares a plain-text password to the hashed
old
--------------------------+-----------------------------
 Reporter:  yudge         |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  4.5.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 In file wp-includes/user.php, function
 [https://developer.wordpress.org/reference/functions/wp_update_user/
 wp_update_user()]
 On line 1767:

 {{{
 if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !==
 $user_obj->user_pass)
 }}}

 The second conditional is comparing a plain-text password to a hashed
 version of password, so this would almost always evaluate to true except
 for the case where the new password itself matches the old hashed
 password. This block will then evaluate to false and therefore password
 itself won't be updated. It's a rare case but the logic here is incorrect.
 And obviously this code block would run when passwords are the same since
 it's comparing plain-text to the hashed version.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42183>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list