From 039347301685797a027a79100df209b7b57dfd4e Mon Sep 17 00:00:00 2001
From: Gary Pendergast <pento@git.wordpress.org>
Date: Tue, 15 Jan 2019 06:26:23 +0000
Subject: [PATCH] Users: Check that a valid user is passed to
 `get_password_reset_key()`.

Props edocev.
Fixes #44601.



git-svn-id: https://develop.svn.wordpress.org/trunk@44602 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 4c14aa6451..d0b760986c 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -2217,6 +2217,10 @@ function wp_get_password_hint() {
 function get_password_reset_key( $user ) {
 	global $wpdb, $wp_hasher;
 
+	if ( ! ( $user instanceof WP_User ) ) {
+		return new WP_Error( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
+	}
+
 	/**
 	 * Fires before a new password is retrieved.
 	 *