Yes Thank you Cristián.
Its a WordPress bug introduced 10 months ago in wp-includes/general-template.php
function wp_lostpassword_url( $redirect = '' ) {
$args = array( 'action' => 'lostpassword' );
if ( !empty($redirect) ) {
$args['redirect_to'] = $redirect;
}
$lostpassword_url = add_query_arg( $args, network_site_url('wp-login.php', 'login') );
return apply_filters( 'lostpassword_url', $lostpassword_url, $redirect );
}
Should be
function wp_lostpassword_url( $redirect = '' ) {
$args = array( 'action' => 'lostpassword' );
if ( !empty($redirect) ) {
$args['redirect_to'] = $redirect;
}
$lostpassword_url = add_query_arg( $args, site_url('wp-login.php', 'login') );
return apply_filters( 'lostpassword_url', $lostpassword_url, $redirect );
}
Also WordPress is generating the incorrect email in wp-login.php
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
should be
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";