[wp-trac] [WordPress Trac] #56372: unexpected behavior user.php wp_update_user() detects change in password when there is no change

WordPress Trac noreply at wordpress.org
Mon Aug 15 22:48:00 UTC 2022 

#56372: unexpected behavior user.php wp_update_user() detects change in password
when there is no change
--------------------------+-----------------------
 Reporter:  HamishAhern   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Users         |     Version:  6.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+-----------------------
Changes (by HamishAhern):

 * status:  closed => reopened
 * resolution:  worksforme =>


Comment:

 I disagree with your analysis. firstly you are just buttering up and
 smoothing over an issue, I guess all my plugins are rubbish. please
 remember I am not using anything fancy. how would a plugin get a copy of
 the unhashed password, when the user did NOT type it in any of these
 cases. and I already proved that.

 why would you need to add code to wordpress to stop double hashing.. that
 in itself is a cop out.  clearly this user module was not built correctly.
 and how would a plugin get a copy of the unhashed password, when the user
 did NOT type it in any of these cases.

 and its only when you added the email notification in 2015, that its
 effectively created a form of 'debug' logging.  and now the glitch is
 clear for everyone to see.

 thats the way I see it.

 I wish I had time to prove you all wrong, but I guess, just close the
 ticket.  and have everyone ignore the email notification.  in fact you
 might as well take the email notification out of the base wordpress, its
 not a very useful notification to users anyway.



 Replying to [comment:4 sajjad67]:
 > Hi @HamishAhern
 >
 > Welcome to the trac! With a fresh WP installation i can confirm that
 it's not a bug or auto triggering issue! I think any of your plugin /
 theme is updating the user_pass or something.
 >
 > As @SergeyBiryukov already said...
 >
 > **It looks like if the password is not intended to be changed, it should
 not be passed to wp_update_user() at all.**

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56372#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list