Index: wp-includes/user.php =================================================================== --- wp-includes/user.php (revision 50913) +++ wp-includes/user.php (working copy) @@ -1785,8 +1785,26 @@ $user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass; } else { $update = false; + + /** + * Filters a password before hashing it. + * + * @since 5.7.3 + * + * @param string $userdata['user_pass'] The user's password. + */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); + } + + if ( false !== strpos( $pre_hash_password, '\\' ) ) { + return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); + } + // Hash the password. - $user_pass = wp_hash_password( $userdata['user_pass'] ); + $user_pass = wp_hash_password( $pre_hash_password ); } $sanitized_user_login = sanitize_user( $userdata['user_login'], true ); @@ -2199,9 +2217,21 @@ $user = add_magic_quotes( $user ); if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { + + /** This filter is documented in wp-includes/user.php */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Empty password.' ) ); + } + + if ( false !== strpos( $pre_hash_password, '\\' ) ) { + return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); + } + // If password is changing, hash it now. - $plaintext_pass = $userdata['user_pass']; - $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] ); + $plaintext_pass = $pre_hash_password; + $userdata['user_pass'] = wp_hash_password( $pre_hash_password ); /** * Filters whether to send the password change email.