[wp-trac] [WordPress Trac] #54025: Issue in retrieve_password function (file - wp-includes/user.php )

WordPress Trac noreply at wordpress.org
Fri Aug 27 14:19:35 UTC 2021 

#54025: Issue in retrieve_password function (file - wp-includes/user.php )
--------------------------+-----------------------------
 Reporter:  parambir      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  critical      |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Heu guys,

 There is an issue when we click on "Send Reset Link" from the edit user in
 the wp-admin panel.

 This issue is coming from function "retrieve_password" (file location -
 wp-includes/user.php).

 {{{#!php
 <?php
 if ( empty( $user_login ) ) {
         $errors->add( 'empty_username', __( '<strong>Error</strong>:
 Please enter a username or email address.' ) );
 } elseif ( strpos( $user_login, '@' ) ) {
         $user_data = get_user_by( 'email', trim( wp_unslash( $user_login )
 ) );
         if ( empty( $user_data ) ) {
             $errors->add( 'invalid_email', __( '<strong>Error</strong>:
 There is no account with that username or email address.' ) );

         }
 } else {
         $user_data = get_user_by( 'login', trim( wp_unslash( $user_login )
 ) );
 }
 }}}


 If you can check this function, in elseif condition you check @ in
 $user_login, If it is found, then you guys take it as an email and if the
 record is not found then the error comes "There is no account with that
 username or email address".

 Suppose our username is support at test.com and email is info at test.com. When
 function 'retrieve_password' will run, it will serve elseif condition and
 there you check username "support at test.com" with an email get_user_by(
 'email', trim( wp_unslash( $user_login ) ) ).
 It will return an error, as actually, support at test.com is the username.

 I found this bug, while one of our customers has a different email from
 username and his username has character @.
 Due to this, I was not able to send him the password reset link. For now,
 I fixed this in our core files and hope you guys will fix it in the coming
 version.

 Thanks

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54025>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list