[wp-trac] [WordPress Trac] #58916: Wrong User Password Reset
WordPress Trac
noreply at wordpress.org
Fri Jul 28 21:44:46 UTC 2023
#58916: Wrong User Password Reset
--------------------------+------------------------------
Reporter: dappelman | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.2
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by dappelman):
I can reproduce this on my live site, which is a multisite install through
the admin section, so it's not a matter of a user typing in the wrong
username.
If I have two users:
1234 (user 1)
6789 (user1)
And I click wp-
admin/users.php?action=resetpassword&users=1234&_wpnonce=xxxxxxx
It sets the user_activation_key for id 6789.
I wonder if there is any relation to this old ticket, since technically
spaces should be sanitized from multi-site installs, but our site was
converted to multisite quite a while after the site was started:
https://core.trac.wordpress.org/ticket/17904
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58916#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list