Login and Registration: Flush user_activation_key after successfully login.

This changeset ensures the `user_activation_key` is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard. Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya. Fixes #58901. See #32429 Built from https://develop.svn.wordpress.org/trunk@58333 git-svn-id: http://core.svn.wordpress.org/trunk@57789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-26 06:45:07 +02:00 · 2024-06-04 14:44:16 +00:00 · 2024-06-04 14:44:16 +00:00 · 5d6ac060ba
commit 5d6ac060ba
parent b61bce3b08
2 changed files with 23 additions and 1 deletions
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -110,6 +110,28 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {
 	}

 	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
+
+	/**
+	 * @global wpdb $wpdb WordPress database abstraction object.
+	 */
+	global $wpdb;
+
+	// Flush `user_activation_key` if exists after successful login.
+	if ( ! empty( $user->user_activation_key ) ) {
+		$wpdb->update(
+			$wpdb->users,
+			array(
+				'user_activation_key' => '',
+			),
+			array( 'ID' => $user->ID ),
+			array( '%s' ),
+			array( '%d' )
+		);
+
+		// Empty user_activation_key object.
+		$user->user_activation_key = '';
+	}
+
 	/**
 	 * Fires after the user has successfully logged in.
 	 *
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.6-alpha-58332';
+$wp_version = '6.6-alpha-58333';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.