[wp-trac] [WordPress Trac] #54984: wp_update_user doesn't work properly with current user instance

WordPress Trac noreply at wordpress.org
Sat Jan 29 11:03:50 UTC 2022 

#54984: wp_update_user doesn't work properly with current user instance
--------------------------+------------------------------
 Reporter:  oztaser       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by costdev:

Old description:

> After #28020 merged in 5.8, there are two errors that I noticed in
> `wp_update_user`.
>
> 1. Storing plain password:
> If user object to be updated is getting by `get_userdata` (with current
> user id) or `wp_get_current_user`, `wp_update_user` doesn't hash the new
> password.
>
> Also doesn't send password change email.
>
> 2. Doesn't send Email change email.
>
> Here is my mu-plugin to produce the errors:
>
> {{{#!php
> <?php
> namespace NefisYemekTarifleri\Test_User_Password_Hash;
>
> add_action( 'init', __NAMESPACE__ . '\\init' );
> function init() {
>         global $wpdb;
>
> //      $user             = get_userdata( 1 );
>         $user             = wp_get_current_user();
>         $user->user_pass  = '123456';
>         $user->user_email = 'adil at oztaser.com';
>
>         wp_update_user( $user );
> }
> }}}
>
> I think it's not the best way to change password using `wp_update_user`,
> but if `wp_update_user` supports it, password should be hashed.
>
> P.S: I couldn't find any related ticket about this problem, sorry if
> there is.

New description:

 After #28020 merged in 5.8, there are two errors that I noticed in
 `wp_update_user`.

 1. Storing plain password:
 If user object to be updated is getting by `get_userdata` (with current
 user id) or `wp_get_current_user`, `wp_update_user` doesn't hash the new
 password.

 Also doesn't send password change email.

 2. Doesn't send Email change email.

 Here is my mu-plugin to produce the errors:

 {{{#!php
 <?php
 namespace NefisYemekTarifleri\Test_User_Password_Hash;

 add_action( 'init', __NAMESPACE__ . '\\init' );
 function init() {
         global $wpdb;

 //      $user             = get_userdata( 1 );
         $user             = wp_get_current_user();
         $user->user_pass  = '123456';

         wp_update_user( $user );
 }
 }}}

 I think it's not the best way to change password using `wp_update_user`,
 but if `wp_update_user` supports it, password should be hashed.

 P.S: I couldn't find any related ticket about this problem, sorry if there
 is.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54984#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list