Change password looks for old password in wrong array field

This topic contains 4 replies, has 3 voices, and was last updated by  Andy 4 years, 4 months ago.

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket
  • Author
    Posts
  • #5765

    Andy
    Free User
    Post count: 46

    I have the setting “Enabled Old Password?” turned on so users are asked to enter their old password when setting a new password via the Change Password page (a good security practice and pretty much the standard).

    However the error message “Please enter your old password” is always sent back when trying to change your password.

    This is because UsersWP_Validation::validate_fields is trying to get the old password from $data[“uwp_change_old_password”] but it is actually in $data[“old_password”].

    This is on line 284 in version 1.2.0.9. class-validation.php

    I’ve temporarily turned off “Enabled Old Password?” to work around this (not ideal) and the result is not good from a security point of view – the old password field is still displayed but you can enter anything you like there and it will still change the password! Not what you would expect – the old password field should disappear.

    #5769

    Paolo
    Site Admin
    Post count: 31206

    Hi and Thanks for reporting this, a developer was alerted and he’ll follow up asap.

    #5771

    Andy
    Free User
    Post count: 46

    Thanks Paolo.

    On further testing the problem seems to go deeper than just the old password field.

    On changing the password, it shows the message that the password has been changed successfully, and the hash changes in the database table, but an error message is logged and the user is no longer able to log in with either the old or new password.

    PHP error message logged:

    [12-Nov-2019 19:07:57 UTC] PHP Notice: Undefined index: uwp_change_password in …\wp-content\plugins\userswp\includes\class-forms.php on line 764

    So it looks like it is trying to pick up the NEW password from the wrong array item as well.

    #5778

    Patrik
    Moderator
    Post count: 1971

    Hi,

    Thanks for noticing the issue and providing details. We have fixed this issue and will be available in the next update very soon.

    Regards,
    Patrik

    #5818

    Andy
    Free User
    Post count: 46

    Hi Patrik,

    I saw the update come out with this fix in the changelog. I have applied it and password changed now functions as expected for me.

    I have however had a different problem that seems related to password change. I’ve posted it in a different thread:

    https://userswp.io/support/topic/403-forbidden-error-on-logout-after-successful-password-change/

    Thank you.

Viewing 5 posts - 1 through 5 (of 5 total)

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket