Password Recovery doesn’t check if username exists
Using bbPress 0.9 and WordPress 2.7 — when a user tries to perform a password recovery, it’ll accept anything. It doesn’t give an error message if the username doesn’t exist.
Case study (this actually happened):
A user “forgot” his password, but it turned out he had actually never registered. So he goes to the password recovery page, enters a username that doesn’t exist, and is then greeted with the default reset password text, saying “An email has been sent to the address we have on file for you.” That text made him expect an email which never came.
A. Is this something that can be fixed? B. Is this something that should be filed as a bug?
- You must be logged in to reply to this topic.