[wp-trac] [WordPress Trac] #58916: Wrong User Password Reset
WordPress Trac
noreply at wordpress.org
Wed Jul 26 15:29:38 UTC 2023
#58916: Wrong User Password Reset
--------------------------+-----------------------------
Reporter: dappelman | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.2
Severity: major | Keywords:
Focuses: multisite |
--------------------------+-----------------------------
We have a lot of users in our database. We occasionally have users in our
database that have similar usernames, for instance: 'user 1' and 'user1'.
When a password needs to be reset via the e-mail reset link, sometimes the
user_activation_key is populated for the wrong user when it was intended
for 'user 1', it will be populated for 'user1' or the other way around.
They all have different user nicenames and e-mail addresses, but there
must be some sanitizing going on with the username and password resets
that is making similar but different usernames not technically unique.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58916>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list