--- wordpress/wp-admin/includes/user.php.old	2023-02-25 22:45:08.634001726 +0000
+++ wordpress/wp-admin/includes/user.php	2023-02-25 22:49:34.327458376 +0000
@@ -623,8 +623,10 @@
 
 	if ( ! empty( $request['success_url'] ) ) {
 		$scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
+		$host = wp_parse_url( $request['success_url'], PHP_URL_HOST );
+		$host_is_localhost = preg_match('/^localhost(:[0-9]+)?$/i', $host);
 
-		if ( 'http' === $scheme ) {
+		if ( 'http' === $scheme && !$host_is_localhost ) {
 			$error->add(
 				'invalid_redirect_scheme',
 				__( 'The success URL must be served over a secure connection.' )
@@ -634,8 +636,10 @@
 
 	if ( ! empty( $request['reject_url'] ) ) {
 		$scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
+		$host = wp_parse_url( $request['reject_url'], PHP_URL_HOST );
+		$host_is_localhost = preg_match('/^localhost(:[0-9]+)?$/i', $host);
 
-		if ( 'http' === $scheme ) {
+		if ( 'http' === $scheme && !$host_is_localhost ) {
 			$error->add(
 				'invalid_redirect_scheme',
 				__( 'The rejection URL must be served over a secure connection.' )