Duplicate admin “Password Changed” email
-
Hi,
I have been chasing duplicate admin emails on a live store and it traces back to WooCommerce core, so I wanted to flag it here.
Every time a customer resets their password through the My Account flow, the site admin gets the “[Site] Password Changed” notification twice. Two separate sends, identical body (“Password changed for user: X”), about a second apart. I confirmed they are two real sends in our mail log, not a single email delivered twice by the SMTP layer.
Environment:
- WooCommerce 10.9.1
- WordPress 7.0
- Reproduced with all other plugins out of the picture
Steps to reproduce:
- As a customer, go through Lost Password and follow the reset link to the My Account reset form.
- Set a new password.
- The admin address receives two identical “Password Changed” emails.
Where it comes from:
It is in includes/shortcodes/class-wc-shortcode-my-account.php, in set_new_password(). That method does two things that each end up sending the same core notification:
- It fires do_action( ‘after_password_reset’, $user, $new_pass ) (around line 391). WordPress core already hooks wp_password_change_notification onto that action in wp-includes/default-filters.php, so this alone triggers the admin email.
- A few lines later (around line 397) it also calls wp_password_change_notification( $user ) directly.
So one reset runs the notification down two paths and the admin gets two emails. Looking at the docblock, the do_action( ‘after_password_reset’ ) call was added in 10.9.0 “for parity with core”, but the direct call was left in place, and core’s long standing hook on that action turns the new do_action into a second send. On older versions only the direct call existed, so it was a single email. That makes this a 10.9.0 regression.
Workaround for anyone hitting this:
There is a filter wrapping the direct call, so this stops the duplicate:
add_filter( 'woocommerce_disable_password_change_notification', '__return_true' );That leaves WordPress core’s after_password_reset notification as the single send.
The reason I am reporting rather than just filtering it away: the default behaviour double sends for everyone on 10.9.x, which is a lot of confused store admins. It looks like either the new do_action should not also be paired with the direct wp_password_change_notification() call, or the direct call should be removed now that the action covers it. Happy to test a patch.
Thanks.
You must be logged in to reply to this topic.