Skip to content

The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2 #8122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
rinkalpagdar wants to merge 20 commits into from
+8 −1
Closed

The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2 #8122

Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
dac075f
Prepopulate Username after password for login reset to meet WCAG 2.2
rinkalpagdar Jan 15, 2025
932d202
Merge branch 'trunk' into pr/8122
joedolson Feb 8, 2026
dfc004e
Properly escape login URL + username
joedolson Feb 8, 2026
14c4c65
Update src/wp-login.php
joedolson Feb 8, 2026
07088ce
Remove unnecessary variable assignment
joedolson Feb 8, 2026
09542c9
Change 'user' param to 'user_login'
joedolson Feb 8, 2026
4805e37
Missed one.
joedolson Feb 8, 2026
18980d3
Takes GET parameter, sets as session cookie, then redirects.
joedolson Feb 8, 2026
cdaa4b6
Update wp-login.php
joedolson Feb 8, 2026
a72aa80
Update src/wp-login.php
joedolson Feb 9, 2026
58631cf
Switch sanitizing to `sanitize_user()`
joedolson Feb 9, 2026
0ae9678
Update src/wp-login.php
joedolson Feb 9, 2026
e98ea3d
Update src/wp-login.php
joedolson Feb 9, 2026
d8cb6d6
Update src/wp-login.php
joedolson Feb 9, 2026
7b063ef
Don't get cookie value if $user_login already set.
joedolson Feb 9, 2026
d058d72
Remove user_login param from resetpassform
joedolson Feb 9, 2026
3d6bffd
Reuse rp cookie for obtaining user
westonruter Feb 10, 2026
57dbb4c
Remove redundant wp_unslash()
westonruter Feb 10, 2026
b8b2f72
Clear resetpass cookie after the user login is read from it
westonruter Feb 10, 2026
76220d0
Update src/wp-login.php
joedolson Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion src/wp-login.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1000,7 +1000,6 @@ function wp_login_viewport_meta() {

if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
reset_password( $user, $_POST['pass1'] );
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header(
__( 'Password Reset' ),
wp_get_admin_notice(
Expand Down Expand Up @@ -1487,6 +1486,14 @@ function wp_login_viewport_meta() {
wp_clear_auth_cookie();
}

// Obtain user from password reset cookie flow before clearing the cookie.
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
if ( isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) {
$user_login = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) );
list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
}

login_header( __( 'Log In' ), '', $errors );

if ( isset( $_POST['log'] ) ) {
Expand Down
Loading