diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index d7713b7..3443867 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -2205,6 +2205,8 @@ if ( !function_exists('wp_set_password') ) :
 /**
  * Updates the user's password with a new encrypted one.
  *
+ * The $password value must first be sanitized with wp_slash().
+ *
  * For integration with other applications, this function can be overwritten to
  * instead use the other package password checking algorithm.
  *
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index a83e57e..e087527 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -13,6 +13,8 @@
  * 'remember' indices. If the credentials is not given, then the log in form
  * will be assumed and used if set.
  *
+ * The 'user_password' value must first be sanitized with wp_slash().
+ *
  * The various authentication cookies will be set by this function and will be
  * set for a longer period depending on if the 'remember' credential is set to
  * true.
@@ -1714,7 +1716,7 @@ function wp_insert_user( $userdata ) {
  * Update a user in the database.
  *
  * It is possible to update a user's password by specifying the 'user_pass'
- * value in the $userdata parameter array.
+ * value in the $userdata parameter array. The 'user_pass' value must first be sanitized with wp_slash().
  *
  * If current user's password is being updated, then the cookies will be
  * cleared.