The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.
Adds unit tests.
Props kraftbj, adamsilverstein, welcher, ocean90.
Fixes#33654.
(Don't ask for new pluggables kthxbye)
Built from https://develop.svn.wordpress.org/trunk@34116
git-svn-id: http://core.svn.wordpress.org/trunk@34084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_password_change_notification()` is now called at the 'after_password_reset'
action, rather than being invoked directly from the `reset_password()` function.
In order to make it possible to call `wp_password_change_notification()` as a
`do_action()` callback, the function signature has to be changed so that the
`$user` parameter is expected to be a value rather than a reference. Since
PHP 5.0, objects are passed by reference, so `&$user` was unnecessary anyway.
Props dshanske, thomaswm.
See #33587.
Built from https://develop.svn.wordpress.org/trunk@34107
git-svn-id: http://core.svn.wordpress.org/trunk@34075 1a063a9b-81f0-0310-95a4-ce76da25c4cd
