Users: Check that a valid user is passed to get_password_reset_key().

Props edocev. Fixes #44601. Built from https://develop.svn.wordpress.org/trunk@44602 git-svn-id: http://core.svn.wordpress.org/trunk@44433 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-15 06:27:49 +00:00
parent a5d8a6bde3
commit 8ddef3e98d
2 changed files with 5 additions and 1 deletions
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2217,6 +2217,10 @@ function wp_get_password_hint() {
 function get_password_reset_key( $user ) {
 	global $wpdb, $wp_hasher;

+	if ( ! ( $user instanceof WP_User ) ) {
+		return new WP_Error( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
+	}
+
 	/**
 	 * Fires before a new password is retrieved.
 	 *