diff --git src/wp-includes/class-wp-application-passwords.php src/wp-includes/class-wp-application-passwords.php
index 6e84e0a2b2..6840dc93f3 100644
--- src/wp-includes/class-wp-application-passwords.php
+++ src/wp-includes/class-wp-application-passwords.php
@@ -347,7 +347,7 @@ class WP_Application_Passwords {
 			}
 
 			$password['last_used'] = time();
-			$password['last_ip']   = $_SERVER['REMOTE_ADDR'];
+			$password['last_ip']   = isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : null;
 
 			$saved = static::set_user_application_passwords( $user_id, $passwords );
 
diff --git src/wp-includes/template-loader.php src/wp-includes/template-loader.php
index 0fd08545cc..91a68462a7 100644
--- src/wp-includes/template-loader.php
+++ src/wp-includes/template-loader.php
@@ -23,7 +23,7 @@ if ( wp_using_themes() ) {
  *
  * @param bool $exit Whether to exit without generating any content for 'HEAD' requests. Default true.
  */
-if ( 'HEAD' === $_SERVER['REQUEST_METHOD'] && apply_filters( 'exit_on_http_head', true ) ) {
+if ( ( isset( $_SERVER['REQUEST_METHOD'] ) && 'HEAD' === $_SERVER['REQUEST_METHOD'] ) && apply_filters( 'exit_on_http_head', true ) ) {
 	exit;
 }
 
diff --git src/wp-includes/user.php src/wp-includes/user.php
index 6d53726327..f7f36b1d08 100644
--- src/wp-includes/user.php
+++ src/wp-includes/user.php
@@ -3303,7 +3303,7 @@ function retrieve_password( $user_login = '' ) {
 	$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
 
 	if ( ! is_user_logged_in() ) {
-		$requester_ip = $_SERVER['REMOTE_ADDR'];
+		$requester_ip = isset( $_SERVER['REMOTE_ADDR'] ) ? wp_unslash( $_SERVER['REMOTE_ADDR'] ) : '';
 		if ( $requester_ip ) {
 			$message .= sprintf(
 				/* translators: %s: IP address of password reset requester. */