From 3d6bffd1cfe71419986e64ec5650052a7c1e512f Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Mon, 9 Feb 2026 16:35:30 -0800 Subject: [PATCH 1/2] Reuse rp cookie for obtaining user --- src/wp-login.php | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index 72538db4c39ce..1d2a328ff2651 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -538,13 +538,6 @@ function wp_login_viewport_meta() { setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); } -if ( isset( $_GET['user_login'] ) ) { - setcookie( 'wp_user_login', sanitize_user( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); - if ( wp_safe_redirect( wp_login_url() ) ) { - exit; - } -} - /** * Fires when the login form is initialized. * @@ -1007,15 +1000,10 @@ function wp_login_viewport_meta() { if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); - setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); - $login_url = wp_login_url(); - if ( isset( $_COOKIE['wp_user_login'] ) ) { - $login_url = add_query_arg( 'user_login', rawurlencode( sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ) ), $login_url ); - } login_header( __( 'Password Reset' ), wp_get_admin_notice( - __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', + __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', array( 'type' => 'info', 'additional_classes' => array( 'message', 'reset-pass' ), @@ -1518,8 +1506,9 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - if ( ! $user_login && isset( $_COOKIE['wp_user_login'] ) ) { - $user_login = sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ); + $rp_cookie = 'wp-resetpass-' . COOKIEHASH; + if ( ! $user_login && isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { + $user_login = sanitize_user( wp_unslash( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ) ); } ?> From 57dbb4cee5b4c0e5d2df727338a64aa2253d5b35 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Mon, 9 Feb 2026 16:43:37 -0800 Subject: [PATCH 2/2] Remove redundant wp_unslash() --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index 1d2a328ff2651..944aefa184735 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1508,7 +1508,7 @@ function wp_login_viewport_meta() { wp_enqueue_script( 'user-profile' ); $rp_cookie = 'wp-resetpass-' . COOKIEHASH; if ( ! $user_login && isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { - $user_login = sanitize_user( wp_unslash( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ) ); + $user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ); } ?>