User locked out of account on saving new email

Escape · August 6, 2025, 10:52pm

Hi

I noticed that if a user saves an erroneous new email address, he will be locked out of his account

STEPS

Go to your user account settings
Set a new email address. Imagine you want to set john@gmail.com, but you write johnn@gmail.com
System asks for password before saving. Insert correct password
New (wrong) email is saved
Verification email sent to wrong email address

RESULT

If user logs out without noticing mistake, he can’t enter with old email address because system alerts that he needs to verify the new email address
User is unable to verify new address because system email was sent to wrong one
User is locked out

EXPECTED BEHAVIOR
Before saving new email address, verify first via system verification email, then save.

Hope this can be solved soon!

ChrisB · August 6, 2025, 11:27pm

I haven’t tested this, but nice catch!

ihor · August 7, 2025, 3:02pm

Thanks for reporting this issue. Please let me know if the user is logged out automatically after this, if not then a temporary workaround is changing the email back (since the current password is the same).

We’ll also add some kind of cancellation option to revert the email address to the next HivePress core update.

Escape · August 7, 2025, 6:40pm

Hi

no, the user is not logged out automatically. If he notices the wrong email, he can still set it back. The issue happens when he changes the email to a wrong one and then logs out himself, he will not get back in

ihor · August 8, 2025, 2:59pm

Thanks for the details, we’ll check how WordPress resolves this issue in their core password reset process and fix this in the next HivePress core update.