From 655d44ffe813eb9a64e30a6339316338246e9efc Mon Sep 17 00:00:00 2001
From: Gary Pendergast <gary@pento.net>
Date: Wed, 16 Jan 2019 04:27:50 +0000
Subject: [PATCH] Users: Add extra checking to `wp_new_user_notification()`.

Prevent a notification from being sent when an unrecognised value is passed in the `$notify` parameter.

Props cthreelabs, 360zen.
Fixes #44293.


Built from https://develop.svn.wordpress.org/trunk@44611


git-svn-id: http://core.svn.wordpress.org/trunk@44442 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/pluggable.php | 5 +++++
 wp-includes/version.php   | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 46e11055ea..0e9d4ad2f0 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1894,6 +1894,11 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) :
 			_deprecated_argument( __FUNCTION__, '4.3.1' );
 		}
 
+		// Accepts only 'user', 'admin' , 'both' or default '' as $notify
+		if ( ! in_array( $notify, array( 'user', 'admin', 'both', '' ), true ) ) {
+			return;
+		}
+
 		global $wpdb, $wp_hasher;
 		$user = get_userdata( $user_id );
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 36831116e6..59207f564c 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-beta1-44610';
+$wp_version = '5.1-beta1-44611';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.