Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#52439 closed defect (bug) (duplicate)

'authenticate' filters ignore WP_Error case

Reported by: joyously's profile joyously Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:


The core functions hooked by default to the 'authenticate' filter do not check the filtered object for WP_Error before overwriting with the authenticated user object.
This means a filter added with the default priority of 10 that passes a WP_Error is ignored, and the user is logged in anyway.

Noticed in forum topic:

Default filters are

add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_application_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );

and user.php has
add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

Change History (1)

#1 @TimothyBlynJacobs
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Thanks for the ticket @joyously, this is being tracked already in #46748.

Note: See TracTickets for help on using tickets.