Support » Plugin: Theme My Login » Password Reset Key Invalid in E-Mail from Reset Form

  • Hello. I’m using TML6.3.10. The reset password key that comes from the reset password form is invalid. When clicking on the email link, it takes you to the admin page “?action=lostpassword&error=invalidkey”. Once the user enters their username on this page, WordPress sends another reset e-mail with valid key. Any ideas?? Thanks.

    https://wordpress.org/plugins/theme-my-login/

Viewing 7 replies - 1 through 7 (of 7 total)
  • I am experiencing the same problem. Very frustrating. Can anyone help?

    I am having the same issue.

    I am having this issue, too.

    To fix this, open the file /plugins/theme-my-login/includes/class-theme-my-login.php

    Find the function

    public static function check_password_reset_key( $key, $login ) {

    And comment out (add // at the start of the line) this line:

    $key = preg_replace( '/[^a-z0-9]/i', '', $key );

    That’s it. The end result should be:

    public static function check_password_reset_key( $key, $login ) {
    		global $wpdb;
    
    		// $key = preg_replace( '/[^a-z0-9]/i', '', $key );
    
    		if ( empty( $key ) || ! is_string( $key ) )
    			return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
    
    		if ( empty( $login ) || ! is_string( $login ) )
    			return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
    
    		$user = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login ) );
    
    		if ( empty( $user ) )
    			return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
    
    		return $user;
    	}

    I have no idea why that line is there, it’s redundant and just strips off all letters and numbers from the key, so obviously it then won’t match the key in the db…

    I did this on our site and it all works fine now.

    @biranit — THANKS!

    This does work. Obviously it’s not ideal to make this change directly to the plugin, so I’m hoping the author will see this and make the adjustment. For now I’ll be mindful about plugin updates for this site.

    The bigger issue is that the author of this plugin is using the same key in the email as in the database – which is slightly unsafe, and different to how WordPress does it (the key sent out is hashed). It would be far better if in the next update, the author of this plugin used the native (and more secure) WordPress function. In fact, many of the functions in this plugin should have remained native.

    Thank you, I’ve tried this an now my key is working and directing to the page to enter a new password. But when I do that it just keeps reloading the same page, but the password isn’t changed. Is there another step that needs to be completed?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Password Reset Key Invalid in E-Mail from Reset Form’ is closed to new replies.