Bug fix for Reset Password Problem in WP Plugin Sideways8 Custom Login & Registration 0.87

da Agency

9 Feb 2015

Issue: Forgot Password Not Reseting Password

While using the WordPress Plugin Sideways8 Custom Login & Registration Form v 0.87 we encountered an issue, that seems to be pending for the last 4 released release versions and is documented in different threads, for example:

https://wordpress.org/support/topic/forgot-password-not-reseting-password

Test Environment

Sideways8 Custom Login & Registration Plugin Version 0.8.7
WordPress 3.93 and 4.1
Custom theme

Description

The Plugin replaces the default WordPress Login and Registration forms with a template based seamless integration in the active WP theme used on the website. Therefor there are also replacements for the „forgot password“ form and the „Reset Password“ page. So far everything works fine but the „Reset Password“ form doesn’t change the User’s password and thus misses the point, if someone forgot his password. Still there is no recognizable feedback on the frontend website and the User might assume that everything’s fine and the password has been reset to the new given value.

Analysis

Indeed, the S8 Custom Login & Registration Form loses some data after clickig the „Change Password“ button, due to a HTTP 302 Redirect, where the variables – passed as HTTP GET query params get truncated and just vanish.

The neccessary params key and login get lost and WP throws an error, that is not handled correctly by the plugin but just bypassed and ignored.

Bug fix

forms.php

Open the file wp-content/plugins/s8-custom-login-and-registration/inc/forms.php and change the following code (at around line 85):

case 'reset':
 /***** PASSWORD RESET FORM *****/
 // Output our form
 ?><form name="pass-reset" action="<?php echo home_url( '/' . s8_login_registration::ep_login . '/?action=reset&key=' . $_GET['key'] . '&login=' . $_GET['login'] ); ?>" method="post" class="s8_form reset_form"><?php

case 'reset':
 /***** PASSWORD RESET FORM *****/
 // Output our form
 ?><form name="pass-reset" action="<?php echo home_url( '/' . s8_login_registration::ep_login . '/?action=reset' ); ?>" method="post" class="s8_form reset_form"><?php

The entire query part gets still passed in a hidden input variable called _wp_http_referer as a HTTP POST var and can be extracted and processed in the next step

s8-login-registration.php

Open the file wp-content/plugins/s8-custom-login-and-registration/s8-login-registration.php

and search for the function user_password_reset() at around line 227:

function user_password_reset() {
 if ( ! wp_verify_nonce( $_POST['s8-clr-reset-nonce'], plugin_dir_path( S8_LOGIN_FILE ) ) )
 die('An attempt to bypass security checks was detected! Please go back to the password reset and try again.');
 // We are updating our password!
 ob_start();
 require_once(ABSPATH.'wp-login.php');
 $tmp = ob_get_clean(); // Keep wp-login.php from showing up by accident.
 $user = check_password_reset_key($_GET['key'], $_GET['login']);
 // Is the reset key valid?
 if(is_wp_error($user)) $errors = $user;

and change the code line

$user = check_password_reset_key($_GET['key'], $_GET['login']);

 $http_referrer = $_POST['_wp_http_referer'];
 $queryVars = parse_url($http_referrer , PHP_URL_QUERY);
 parse_str($queryVars, $queryVarsArray);
 $parsedKey = $queryVarsArray['key'];
 $parsedLogin = $queryVarsArray['login'];
 $user = check_password_reset_key($parsedKey, $parsedLogin);

Now WordPress can handle the passed key and login variables and changes the password correctly.

Additional notes

It’s sad and should be resolved easily that the user changing his password gets informed after entring and submitting his new password, that this has to be at least 8 characters long and must not contain certain chars. Perhaps it’s possible to add some lines of code here and even display the password „strength-o-meter“ from the default WP password reset form. This seems to be just some linked JS libs.

Gonna give it a try – stay tuned