From 7ca72596fea4e8b27ef3ac559877c2cc0a623588 Mon Sep 17 00:00:00 2001
From: joedolson <joedolson@git.wordpress.org>
Date: Tue, 10 Feb 2026 19:52:40 +0000
Subject: [PATCH] Login and Registration: Populate username after password
 reset.

Accessibility: to meet WCAG 2.2/3.3.7: Redundant entry, the username should be auto-populated when a user performs a password reset.

There is an existing cookie set that contains this information, but was deleted before displaying the login form.

Move cookie deletion to occur after displaying login form and use to set `$user_login`.

Props estelaris, alh0319, sabernhardt, oglekler, peterwilsoncc, rcreators, rishavdutta, chaion07, stoyangeorgiev, rinkalpagdar, pratiklondhe, lukasfritzedev, ferdoused, audrasjb, westonruter, joedolson.
Fixes #60726.
Built from https://develop.svn.wordpress.org/trunk@61610


git-svn-id: http://core.svn.wordpress.org/trunk@60921 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/version.php | 2 +-
 wp-login.php            | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/wp-includes/version.php b/wp-includes/version.php
index a905d40bb0..16ce5cd850 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-alpha-61609';
+$wp_version = '7.0-alpha-61610';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-login.php b/wp-login.php
index c9db31826b..4bd2284c52 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -1000,7 +1000,6 @@ switch ( $action ) {
 
 		if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
 			reset_password( $user, $_POST['pass1'] );
-			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
 			login_header(
 				__( 'Password Reset' ),
 				wp_get_admin_notice(
@@ -1487,6 +1486,14 @@ switch ( $action ) {
 			wp_clear_auth_cookie();
 		}
 
+		// Obtain user from password reset cookie flow before clearing the cookie.
+		$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
+		if ( isset( $_COOKIE[ $rp_cookie ] ) && is_string( $_COOKIE[ $rp_cookie ] ) ) {
+			$user_login      = sanitize_user( strtok( wp_unslash( $_COOKIE[ $rp_cookie ] ), ':' ) );
+			list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
+			setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
+		}
+
 		login_header( __( 'Log In' ), '', $errors );
 
 		if ( isset( $_POST['log'] ) ) {