Users: Check that a valid user is passed to `get_password_reset_key()`.

Props edocev. Fixes #44601. git-svn-id: https://develop.svn.wordpress.org/trunk@44602 602fd350-edb4-49c9-b593-d223f7449a82
2019-01-15 06:26:23 +00:00 · 2019-01-15 06:26:23 +00:00 · 0393473016
parent de1b02f61b
commit 0393473016
1 changed files with 4 additions and 0 deletions
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@ -2217,6 +2217,10 @@ function wp_get_password_hint() {
 function get_password_reset_key( $user ) {
 	global $wpdb, $wp_hasher;

+	if ( ! ( $user instanceof WP_User ) ) {
+		return new WP_Error( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
+	}
+
 	/**
 	 * Fires before a new password is retrieved.
 	 *