[wp-trac] [WordPress Trac] #56372: unexpected behavior user.php wp_update_user() detects change in password when there is no change

WordPress Trac noreply at wordpress.org
Sat Aug 13 22:54:39 UTC 2022 

#56372: unexpected behavior user.php wp_update_user() detects change in password
when there is no change
--------------------------+--------------------------------------
 Reporter:  HamishAhern   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  6.0
 Severity:  normal        |   Keywords:  2nd-opinion needs-design
  Focuses:                |
--------------------------+--------------------------------------
 I am a php developer, and I just set up a brand new wordpress site, within
 the first week of going live I started getting 1 complaint a day from
 customers. so I decided to look into the code to see where the bug or
 glitch was coming from.

 I traced it down to a function in the user component, under
 wp_update_user()

 something in this line of code is not quite right. just because a password
 needs to be hashed doesn't mean that it has been changed.

 {{{#!php
 <?php
 if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !==
 $user_obj->user_pass ) {
 }}}

 I feel like the best option here would be to wrap another check around the
 send_password_change_email flag and set it to false in some situations
 where there is no change to the password.

 {{{
 $send_password_change_email = apply_filters( 'send_password_change_email',
 true, $user, $userdata );
 }}}


 I see a filter that I could use as a workaround. but as a php developer I
 feel this deserves an open ticket to improve this unexpected behavior.

 **Customer 1:**

 {{{
 I got the notice, but I did not change my password.

 On Sat, Aug 13, 2022, 12:55 PM EvoScan <orders at evo_scan.com> wrote:
 Hi j_guerra at ltu.edu,

 This notice confirms that your password was changed on EvoScan.

 If you did not change your password, please contact the Site Administrator
 at
 orders at evo_scan.com

 This email has been sent to j_guerra at ltu.edu

 Regards,
 All at EvoScan

 }}}

 **Customer 2:**

 {{{
 I was logged in, but sent me this email for no reason, I did not reset my
 password.

 Subject: [EvoScan] Password Changed

 Hi nataliahenao,

 This notice confirms that your password was changed on EvoScan.

 If you did not change your password, please contact the Site Administrator
 at
 orders at evo_scan.com

 This email has been sent to jandres_72 at hot_mail.com

 Regards,
 All at EvoScan

 }}}


 **Customer 3**
 I received that email while logged into the site. so I then logged out and
 yes I could log back in with my current password. I think perhaps it was a
 glitch on your end.

 Regards,
 Brian Jonas

 Subject: [EvoScan] Password Changed

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56372>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list