From 3a97668d06af583a72aa1cb0ca591c78a9bdc98b Mon Sep 17 00:00:00 2001 From: "Dominik Schilling (ocean90)" Date: Sun, 23 Oct 2016 14:01:53 +0000 Subject: [PATCH] Users: Use `self_admin_url()` for the email change confirmation link. Prevents sending users to wp-admin/profile.php if they only have access to wp-admin/user/profile.php. Props dave.pullig. Fixes #38451. git-svn-id: https://develop.svn.wordpress.org/trunk@38876 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/ms.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php index acdd09fb3c..7e08e6f4f2 100644 --- a/src/wp-admin/includes/ms.php +++ b/src/wp-admin/includes/ms.php @@ -388,7 +388,7 @@ All at ###SITENAME### $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email ); $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); - $content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail='.$hash ) ), $content ); + $content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); $content = str_replace( '###EMAIL###', $_POST['email'], $content); $content = str_replace( '###SITENAME###', get_site_option( 'site_name' ), $content ); $content = str_replace( '###SITEURL###', network_home_url(), $content );