wp_check_password is broken and give result false if there is ampersand (&) character on password

[nariyanto]

While testing change password method that uses wp_check_password where I was passing in a correct current password and password combination. Here are the steps to replicate this issues:

1. Now try to change the newest password to k)176p*nFXA8Qk&@mb6cI8(b
2. try to check password using wp_check_password() method, with current password contain ampersand (&) character.
3. Observe

[bookdude13]

@nariyanto Thanks for the ticket!

I am unable to reproduce this when changing a different user's password, changing my own, or doing a password reset for me. I am able to set it to your provided password and login with it just fine.

How were you testing when you saw this behavior? Was this a unit test or something similar?

[nariyanto]

Hi @bookdude13 ,

Thanks for the reply and investigation. I test and debug on our plugins and have double check it. I found that & character is converted to & before wp_check_password() function called.

Now the issue is solved, you may closed this ticket.

Regards,
Septiyan

[JaworskiMatt]

If someone runs into a similar problem while developing a plugin. Our issue was because of the default escaping of $_POST arguments - we needed an exception made for the password, so we could hash it properly.