• Hi,

    I have been chasing duplicate admin emails on a live store and it traces back to WooCommerce core, so I wanted to flag it here.

    Every time a customer resets their password through the My Account flow, the site admin gets the “[Site] Password Changed” notification twice. Two separate sends, identical body (“Password changed for user: X”), about a second apart. I confirmed they are two real sends in our mail log, not a single email delivered twice by the SMTP layer.

    Environment:

    • WooCommerce 10.9.1
    • WordPress 7.0
    • Reproduced with all other plugins out of the picture

    Steps to reproduce:

    1. As a customer, go through Lost Password and follow the reset link to the My Account reset form.
    2. Set a new password.
    3. The admin address receives two identical “Password Changed” emails.

    Where it comes from:

    It is in includes/shortcodes/class-wc-shortcode-my-account.php, in set_new_password(). That method does two things that each end up sending the same core notification:

    • It fires do_action( ‘after_password_reset’, $user, $new_pass ) (around line 391). WordPress core already hooks wp_password_change_notification onto that action in wp-includes/default-filters.php, so this alone triggers the admin email.
    • A few lines later (around line 397) it also calls wp_password_change_notification( $user ) directly.

    So one reset runs the notification down two paths and the admin gets two emails. Looking at the docblock, the do_action( ‘after_password_reset’ ) call was added in 10.9.0 “for parity with core”, but the direct call was left in place, and core’s long standing hook on that action turns the new do_action into a second send. On older versions only the direct call existed, so it was a single email. That makes this a 10.9.0 regression.

    Workaround for anyone hitting this:

    There is a filter wrapping the direct call, so this stops the duplicate:

    add_filter( 'woocommerce_disable_password_change_notification', '__return_true' );

    That leaves WordPress core’s after_password_reset notification as the single send.

    The reason I am reporting rather than just filtering it away: the default behaviour double sends for everyone on 10.9.x, which is a lot of confused store admins. It looks like either the new do_action should not also be paired with the direct wp_password_change_notification() call, or the direct call should be removed now that the action covers it. Happy to test a patch.

    Thanks.

Viewing 1 replies (of 1 total)
  • Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    Hi @devksec!

    Thank you for taking the time to investigate this so thoroughly and for providing such a detailed report, including the root cause and workaround.

    I can confirm that this issue has already been reported on our GitHub repository, and our developers are aware of it and are currently investigating it:
    https://github.com/woocommerce/woocommerce/issues/66103

    I recommend adding a comment to that GitHub issue as well. That way, you’ll be able to follow the discussion and receive updates directly from our developers as they work toward a resolution. Your additional findings and testing may also be helpful to the investigation.

    Thank you again for reporting this and for your understanding and cooperation.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.