From dac075fbb716c0fc6a6f68ec71e66096ddd94fb3 Mon Sep 17 00:00:00 2001 From: Rinkal Pagdar <92097119+rinkalpagdar@users.noreply.github.com> Date: Wed, 15 Jan 2025 14:20:04 +0530 Subject: [PATCH 01/19] Prepopulate Username after password for login reset to meet WCAG 2.2 --- src/wp-login.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index fb419ac4454ab..2efd693c14d48 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -996,14 +996,16 @@ function wp_login_viewport_meta() { * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. */ do_action( 'validate_password_reset', $errors, $user ); - + if ( isset( $_GET['user'] ) ) { + $username = wp_unslash( $_GET['user'] ); + } if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); login_header( __( 'Password Reset' ), wp_get_admin_notice( - __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', + __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', array( 'type' => 'info', 'additional_classes' => array( 'message', 'reset-pass' ), @@ -1030,7 +1032,7 @@ function wp_login_viewport_meta() { ); ?> -
+
@@ -1506,6 +1508,9 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); + if ( isset( $_GET['user'] ) ) { + $user_login = wp_unslash( $_GET['user'] ); + } ?> From dfc004ed3cd3283a527776699e08fbcb07d5a592 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 12:38:53 -0600 Subject: [PATCH 02/19] Properly escape login URL + username --- src/wp-login.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index b8c4e9b9d244d..bf5ec1e6b9e11 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1003,10 +1003,14 @@ function wp_login_viewport_meta() { if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + $login_url = wp_login_url(); + if ( isset( $_GET['user'] ) ) { + $login_url = add_query_arg( 'user', rawurlencode( wp_unslash( $_GET['user'] ) ), $login_url ); + } login_header( __( 'Password Reset' ), wp_get_admin_notice( - __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', + __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', array( 'type' => 'info', 'additional_classes' => array( 'message', 'reset-pass' ), From 14c4c652681b6c5faa5b5262dd5e2dd230b89925 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 12:39:56 -0600 Subject: [PATCH 03/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index bf5ec1e6b9e11..06738d85db7f9 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1037,7 +1037,7 @@ function wp_login_viewport_meta() { ); ?> - +
From 07088ce9ce55a001e5faae531db4065c6026c144 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 12:42:12 -0600 Subject: [PATCH 04/19] Remove unnecessary variable assignment --- src/wp-login.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index 06738d85db7f9..9d3d1505fc293 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -997,9 +997,7 @@ function wp_login_viewport_meta() { * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. */ do_action( 'validate_password_reset', $errors, $user ); - if ( isset( $_GET['user'] ) ) { - $username = wp_unslash( $_GET['user'] ); - } + if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); From 09542c98fc1be53ef9cf2ba79005ec72d4d656b0 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 12:45:59 -0600 Subject: [PATCH 05/19] Change 'user' param to 'user_login' Reuses an existing parameter, preventing potential interference with extensions. --- src/wp-login.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index 9d3d1505fc293..d9026383946cf 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1002,8 +1002,8 @@ function wp_login_viewport_meta() { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); $login_url = wp_login_url(); - if ( isset( $_GET['user'] ) ) { - $login_url = add_query_arg( 'user', rawurlencode( wp_unslash( $_GET['user'] ) ), $login_url ); + if ( isset( $_GET['user_login'] ) ) { + $login_url = add_query_arg( 'user_login', rawurlencode( wp_unslash( $_GET['user_login'] ) ), $login_url ); } login_header( __( 'Password Reset' ), @@ -1511,8 +1511,8 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - if ( isset( $_GET['user'] ) ) { - $user_login = wp_unslash( $_GET['user'] ); + if ( isset( $_GET['user_login'] ) ) { + $user_login = wp_unslash( $_GET['user_login'] ); } ?> From 4805e371369adab579bee1fbc094fb00a8a62044 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 12:47:31 -0600 Subject: [PATCH 06/19] Missed one. --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index d9026383946cf..d08263391e1d3 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1035,7 +1035,7 @@ function wp_login_viewport_meta() { ); ?> - +
From 18980d35e7049fe17bc55110548af59f6e7830e4 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 13:22:07 -0600 Subject: [PATCH 07/19] Takes GET parameter, sets as session cookie, then redirects. --- src/wp-login.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index d08263391e1d3..439d0ef9c9043 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -538,6 +538,11 @@ function wp_login_viewport_meta() { setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); } +if ( isset( $_GET['user_login' ] ) ) { + setcookie( 'wp_user_login', sanitize_text_field( $_GET['user_login'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); + wp_safe_redirect( wp_login_url() ); +} + /** * Fires when the login form is initialized. * @@ -1002,8 +1007,8 @@ function wp_login_viewport_meta() { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); $login_url = wp_login_url(); - if ( isset( $_GET['user_login'] ) ) { - $login_url = add_query_arg( 'user_login', rawurlencode( wp_unslash( $_GET['user_login'] ) ), $login_url ); + if ( isset( $_COOKIE['wp_user_login'] ) ) { + $login_url = add_query_arg( 'user_login', rawurlencode( wp_unslash( $_COOKIE['wp_user_login'] ) ), $login_url ); } login_header( __( 'Password Reset' ), @@ -1511,8 +1516,8 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - if ( isset( $_GET['user_login'] ) ) { - $user_login = wp_unslash( $_GET['user_login'] ); + if ( isset( $_COOKIE['wp_user_login'] ) ) { + $user_login = wp_unslash( $_COOKIE['wp_user_login'] ); } ?> From cdaa4b699c75689eac49fb66d6e9ba32797b1b6b Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Sun, 8 Feb 2026 13:23:25 -0600 Subject: [PATCH 08/19] Update wp-login.php --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index 439d0ef9c9043..c944fd41ce33a 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -538,7 +538,7 @@ function wp_login_viewport_meta() { setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); } -if ( isset( $_GET['user_login' ] ) ) { +if ( isset( $_GET['user_login'] ) ) { setcookie( 'wp_user_login', sanitize_text_field( $_GET['user_login'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); wp_safe_redirect( wp_login_url() ); } From a72aa80986a25b26810b22aeec09e23ba1a43e40 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 11:18:53 -0600 Subject: [PATCH 09/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index c944fd41ce33a..d180ca85266e1 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -539,7 +539,7 @@ function wp_login_viewport_meta() { } if ( isset( $_GET['user_login'] ) ) { - setcookie( 'wp_user_login', sanitize_text_field( $_GET['user_login'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); + setcookie( 'wp_user_login', sanitize_text_field( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); wp_safe_redirect( wp_login_url() ); } From 58631cf326f94a24dddc909495b6a76ad8178de1 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 11:27:51 -0600 Subject: [PATCH 10/19] Switch sanitizing to `sanitize_user()` --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index d180ca85266e1..cb75301a81715 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -539,7 +539,7 @@ function wp_login_viewport_meta() { } if ( isset( $_GET['user_login'] ) ) { - setcookie( 'wp_user_login', sanitize_text_field( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); + setcookie( 'wp_user_login', sanitize_user( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); wp_safe_redirect( wp_login_url() ); } From 0ae9678e5125c22b525d70c0696abe53c5d51d00 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 13:10:44 -0600 Subject: [PATCH 11/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index cb75301a81715..3e73ac113d1a8 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1008,7 +1008,7 @@ function wp_login_viewport_meta() { setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); $login_url = wp_login_url(); if ( isset( $_COOKIE['wp_user_login'] ) ) { - $login_url = add_query_arg( 'user_login', rawurlencode( wp_unslash( $_COOKIE['wp_user_login'] ) ), $login_url ); + $login_url = add_query_arg( 'user_login', rawurlencode( sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ) ), $login_url ); } login_header( __( 'Password Reset' ), From e98ea3d483bf2091c0063c5c2019faeebea2d0d9 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 13:12:48 -0600 Subject: [PATCH 12/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index 3e73ac113d1a8..8897ebbcebb38 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1517,7 +1517,7 @@ function wp_login_viewport_meta() { wp_enqueue_script( 'user-profile' ); if ( isset( $_COOKIE['wp_user_login'] ) ) { - $user_login = wp_unslash( $_COOKIE['wp_user_login'] ); + $user_login = sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ); } ?> From d8cb6d6a28ef7cf1a4f777bb8ddc02c9b57aa791 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 17:00:04 -0600 Subject: [PATCH 13/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index 8897ebbcebb38..fda4c2bb26612 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -540,7 +540,9 @@ function wp_login_viewport_meta() { if ( isset( $_GET['user_login'] ) ) { setcookie( 'wp_user_login', sanitize_user( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); - wp_safe_redirect( wp_login_url() ); + if ( wp_safe_redirect( wp_login_url() ) ) { + exit; + } } /** From 7b063ef42e5e4538f7883f2b82cae57e58f0b10c Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 17:04:08 -0600 Subject: [PATCH 14/19] Don't get cookie value if $user_login already set. --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index fda4c2bb26612..e062651eae0fc 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1518,7 +1518,7 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - if ( isset( $_COOKIE['wp_user_login'] ) ) { + if ( ! $user_login && isset( $_COOKIE['wp_user_login'] ) ) { $user_login = sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ); } ?> From d058d722dfff1c31f6dabb5d3b23c39b5a98c1d1 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 9 Feb 2026 17:31:09 -0600 Subject: [PATCH 15/19] Remove user_login param from resetpassform This isn't needed; the value is already available after submitting the form. --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index e062651eae0fc..72538db4c39ce 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1042,7 +1042,7 @@ function wp_login_viewport_meta() { ); ?> - +
From 3d6bffd1cfe71419986e64ec5650052a7c1e512f Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Mon, 9 Feb 2026 16:35:30 -0800 Subject: [PATCH 16/19] Reuse rp cookie for obtaining user --- src/wp-login.php | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index 72538db4c39ce..1d2a328ff2651 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -538,13 +538,6 @@ function wp_login_viewport_meta() { setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); } -if ( isset( $_GET['user_login'] ) ) { - setcookie( 'wp_user_login', sanitize_user( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); - if ( wp_safe_redirect( wp_login_url() ) ) { - exit; - } -} - /** * Fires when the login form is initialized. * @@ -1007,15 +1000,10 @@ function wp_login_viewport_meta() { if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); - setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); - $login_url = wp_login_url(); - if ( isset( $_COOKIE['wp_user_login'] ) ) { - $login_url = add_query_arg( 'user_login', rawurlencode( sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ) ), $login_url ); - } login_header( __( 'Password Reset' ), wp_get_admin_notice( - __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', + __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '', array( 'type' => 'info', 'additional_classes' => array( 'message', 'reset-pass' ), @@ -1518,8 +1506,9 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - if ( ! $user_login && isset( $_COOKIE['wp_user_login'] ) ) { - $user_login = sanitize_user( wp_unslash( $_COOKIE['wp_user_login'] ) ); + $rp_cookie = 'wp-resetpass-' . COOKIEHASH; + if ( ! $user_login && isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { + $user_login = sanitize_user( wp_unslash( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ) ); } ?> From 57dbb4cee5b4c0e5d2df727338a64aa2253d5b35 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Mon, 9 Feb 2026 16:43:37 -0800 Subject: [PATCH 17/19] Remove redundant wp_unslash() --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index 1d2a328ff2651..944aefa184735 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1508,7 +1508,7 @@ function wp_login_viewport_meta() { wp_enqueue_script( 'user-profile' ); $rp_cookie = 'wp-resetpass-' . COOKIEHASH; if ( ! $user_login && isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { - $user_login = sanitize_user( wp_unslash( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ) ); + $user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ); } ?> From b8b2f7206bd0c3fc2ea0bb6dab663c93eee36044 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 10 Feb 2026 10:04:40 -0800 Subject: [PATCH 18/19] Clear resetpass cookie after the user login is read from it Co-authored-by: Joe Dolson --- src/wp-login.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/wp-login.php b/src/wp-login.php index 944aefa184735..aeb368b6b5d32 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1486,6 +1486,14 @@ function wp_login_viewport_meta() { wp_clear_auth_cookie(); } + // Obtain user from password reset cookie flow before clearing cookie. + $rp_cookie = 'wp-resetpass-' . COOKIEHASH; + if ( isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { + $user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ); + list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) ); + setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + } + login_header( __( 'Log In' ), '', $errors ); if ( isset( $_POST['log'] ) ) { @@ -1506,10 +1514,6 @@ function wp_login_viewport_meta() { } wp_enqueue_script( 'user-profile' ); - $rp_cookie = 'wp-resetpass-' . COOKIEHASH; - if ( ! $user_login && isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { - $user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) ); - } ?> From 76220d0d5e2a09ca8bd89c9165f8860ed3120428 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Tue, 10 Feb 2026 13:21:41 -0600 Subject: [PATCH 19/19] Update src/wp-login.php Co-authored-by: Weston Ruter --- src/wp-login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-login.php b/src/wp-login.php index aeb368b6b5d32..4bd2284c5244c 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -1486,7 +1486,7 @@ function wp_login_viewport_meta() { wp_clear_auth_cookie(); } - // Obtain user from password reset cookie flow before clearing cookie. + // Obtain user from password reset cookie flow before clearing the cookie. $rp_cookie = 'wp-resetpass-' . COOKIEHASH; if ( isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) { $user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) );