Support » Plugins and Hacks » Hacks » [Resolved] Hack for wp-login malformed password reset url

[Resolved] Hack for wp-login malformed password reset url

  • Encountered invalid key error on password reset. Discovered message emailed contained url delimited by angle brackets, and rightmost angle bracket was being included in login argument. Commented message variable and copied it omitting the offending bracket.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Tara


    Volunteer Moderator

    how did you resolve it?

    Hello t-p.

    Sorry, I thought I was clear in the OP. I commented the message variable originally in wp-login and copied it underneath the line. Below is an excerpt of the modified code.

    function retrieve_password() [...]
    // $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n"; ending angle bracket = invalid key
    $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . " \r\n";


    Volunteer Moderator

    -remember when you update WP next time, all your mods in the core files will be lost

    – second, messing with core files may cause security issue, unless you are expert in this stuff.

    – third, sorry, I can help with modifying the core file, for I am not expert in this stuff.



    Volunteer Moderator

    Oh, looks like you already resolved the issue, while I was posting my answer. 🙂

    Yes, I realize the next update will overwrite wp-login.php, but then hopefully this issue will not persist in the next update.

    On the up side, if it does I know the first place I can look!

    “The Intrepid Explorer”

    Ran into this issue, and removing the offending close bracket did the trick.

    Oddly, only found my way here after Googling some actual code from wp-login.php there is no mention of WordPress 3.4.1 broken password reset email link easily found. Hope this helps, and thanks for posting.

    Hey Seacostweb! I found your thread (about 1 year old) about your homepage loading twice or at least recording the hit twice because it loaded the header twice or something. Did you ever figure that out? I’m having the same problem and have not found anything about it except for your lone, unanswered thread …


    Forgot to click “Notify” …

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] Hack for wp-login malformed password reset url’ is closed to new replies.