From 5d6ac060ba86a386c08f28c6e82f2a94361c705a Mon Sep 17 00:00:00 2001 From: audrasjb Date: Tue, 4 Jun 2024 14:44:16 +0000 Subject: [PATCH] Login and Registration: Flush `user_activation_key` after successfully login. This changeset ensures the `user_activation_key` is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard. Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya. Fixes #58901. See #32429 Built from https://develop.svn.wordpress.org/trunk@58333 git-svn-id: http://core.svn.wordpress.org/trunk@57789 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/user.php | 22 ++++++++++++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/wp-includes/user.php b/wp-includes/user.php index 7a71b78af9..5a3e6ddc98 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -110,6 +110,28 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) { } wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie ); + + /** + * @global wpdb $wpdb WordPress database abstraction object. + */ + global $wpdb; + + // Flush `user_activation_key` if exists after successful login. + if ( ! empty( $user->user_activation_key ) ) { + $wpdb->update( + $wpdb->users, + array( + 'user_activation_key' => '', + ), + array( 'ID' => $user->ID ), + array( '%s' ), + array( '%d' ) + ); + + // Empty user_activation_key object. + $user->user_activation_key = ''; + } + /** * Fires after the user has successfully logged in. * diff --git a/wp-includes/version.php b/wp-includes/version.php index 52f735f087..e68f3c08ac 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.6-alpha-58332'; +$wp_version = '6.6-alpha-58333'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.