Hello David,
Thank you for using our plugin. I am sorry to read about your issue.
Can you please tell us a bit more about your setup, and how your website is setup (which plugins are being used / causing this etc) so there is one parameter or are no parameters when the action hook is called?
We’d like to better understand your setup and also reproduce the issue from our end so we can create a fix. We avoid adding “blind fixes” because such fixes could be affecting other areas of the plugin.
Looking forward to hearing from you.
Basically, we have a custom plugin that makes use of this hook without providing a second argument (without $user_data), this way:
do_action( 'lostpassword_post', $errors );
This doesn’t cause any problem without WP-2FA (as all the functions in WordPress called by this hook receive one argument), but if WP-2FA is active, this call generates a fatal error due to the missing parameter.
We just propose you to simply change the line 46 of class-reset-passord.php from:
public static function lostpassword_post( $errors, $user_data ) {
to:
public static function lostpassword_post( $errors, $user_data = false ) {
Hello David,
Thank you for the explanation. We’ve looked into this and discussed it with the team; as of v5.4 a second parameter was added to this action (https://developer.ww.wp.xz.cn/reference/hooks/lostpassword_post/). This parameter increases the security of the whole process, hence as as security plugin we expect that to be present.
I understand that WordPress core accepts a single parameter, but that is because of backward compatibility and to make up for old plugins which might have not been updated yet.
So considering this is a custom plugin, and this is a security improvement our recommendation is to update the custom plugin rather than allow “less secure” practise via our plugin.
I hope the above clarifies the issue. Should you have any other questions, please do not hesitate to ask.
