• Hi,

    I have been chasing duplicate admin emails on a live store and it traces back to WooCommerce core, so I wanted to flag it here.

    Every time a customer resets their password through the My Account flow, the site admin gets the “[Site] Password Changed” notification twice. Two separate sends, identical body (“Password changed for user: X”), about a second apart. I confirmed they are two real sends in our mail log, not a single email delivered twice by the SMTP layer.

    Environment:

    • WooCommerce 10.9.1
    • WordPress 7.0
    • Reproduced with all other plugins out of the picture

    Steps to reproduce:

    1. As a customer, go through Lost Password and follow the reset link to the My Account reset form.
    2. Set a new password.
    3. The admin address receives two identical “Password Changed” emails.

    Where it comes from:

    It is in includes/shortcodes/class-wc-shortcode-my-account.php, in set_new_password(). That method does two things that each end up sending the same core notification:

    • It fires do_action( ‘after_password_reset’, $user, $new_pass ) (around line 391). WordPress core already hooks wp_password_change_notification onto that action in wp-includes/default-filters.php, so this alone triggers the admin email.
    • A few lines later (around line 397) it also calls wp_password_change_notification( $user ) directly.

    So one reset runs the notification down two paths and the admin gets two emails. Looking at the docblock, the do_action( ‘after_password_reset’ ) call was added in 10.9.0 “for parity with core”, but the direct call was left in place, and core’s long standing hook on that action turns the new do_action into a second send. On older versions only the direct call existed, so it was a single email. That makes this a 10.9.0 regression.

    Workaround for anyone hitting this:

    There is a filter wrapping the direct call, so this stops the duplicate:

    add_filter( 'woocommerce_disable_password_change_notification', '__return_true' );

    That leaves WordPress core’s after_password_reset notification as the single send.

    The reason I am reporting rather than just filtering it away: the default behaviour double sends for everyone on 10.9.x, which is a lot of confused store admins. It looks like either the new do_action should not also be paired with the direct wp_password_change_notification() call, or the direct call should be removed now that the action covers it. Happy to test a patch.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    Hi @devksec!

    Thank you for taking the time to investigate this so thoroughly and for providing such a detailed report, including the root cause and workaround.

    I can confirm that this issue has already been reported on our GitHub repository, and our developers are aware of it and are currently investigating it:
    https://github.com/woocommerce/woocommerce/issues/66103

    I recommend adding a comment to that GitHub issue as well. That way, you’ll be able to follow the discussion and receive updates directly from our developers as they work toward a resolution. Your additional findings and testing may also be helpful to the investigation.

    Thank you again for reporting this and for your understanding and cooperation.

    Since the duplicates are confirmed at the mail-log level with other plugins removed, this looks like the password-change notification may be firing twice in the reset-password flow. A hook trace around wp_password_change_notification() and the related WooCommerce account actions would help confirm whether core is triggering two separate sends.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.