WordPress.org

Support

Support » Plugins and Hacks » Security hole and bug when trying to reset password

Security hole and bug when trying to reset password

Viewing 2 replies - 1 through 2 (of 2 total)
  • With a clean install of wp and tml…

    The key is reset/cleared when the user resets their password? If they don’t reset their password then the old key is retained.

    The email goes to the user’s email address.

    …is this a problem?

    Not everyone installs TML on a clean installation of WP. Many people, including myself, add TML to existing installations. That leaves the old MD5 style reset key for the user, causing the preg_replace bug. TML resetting passwords is not compatible with older accounts.

    I see what you’re saying about clearing the key on password reset. That does sound better. Ideally, the reset key would expire after a few hours/days but that’s a different story.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security hole and bug when trying to reset password’ is closed to new replies.