In WP-Members 3.3.5, I added a new feature option for password reset to use a reset link. There have been some isolated reports of problems with this process where a user is sent a link, then receives a message that the activation key is expired when they try to reset the password.
It seems that there have been some issues with caching in the process. In the installs I investigated that reported this issue, the activation key value was being cached rather than generated each time. This led to multiple users having the exact same key value. When a query was done by key value, multiple users having the same result meant that much of the time, the wrong user was returned. That is why the users who reported this as a problem indicated it seemed intermittent.
Even if you don’t understand the explanation, that’s OK because I’ve resolved the problem and am implementing a revised version of the entire password reset object class. The revised version more closely mimics the native WP process. In fact, it now uses the native WP functions and WP’s user_activation_key value.
Additionally, where the new WP-Members process only passed the activation key in the link, WP’s process passed both the activation key and the username. The revised object class will now do the same so that when the key is validated, it is validated for that specific user (same as WP does now). So even if the key is cached and used more than once, it will be validated based on the user it is assigned to.
This change will be implemented in version 3.3.8. But in the meantime, you can easily apply the patch by replacing the wp-members/includes/class-wp-members-pwd-reset.php file with the version at the gist below:
The new registration validation feature will be getting a similar upgrade. There are still some additional elements being worked on (such as incorporating moderated registration), but in the meantime, the class-wp-members-validation-link.php file can be replaced with this: