Make WordPress Core

#52439 closed defect (bug) (duplicate)

'authenticate' filters ignore WP_Error case

Reported by: joyously Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:


The core functions hooked by default to the 'authenticate' filter do not check the filtered object for WP_Error before overwriting with the authenticated user object.
This means a filter added with the default priority of 10 that passes a WP_Error is ignored, and the user is logged in anyway.

Noticed in forum topic: https://wordpress.org/support/topic/creating-an-authenticate-filter/

Default filters are

add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_application_password', 20, 3 );
add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );

and user.php has
add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

Change History (1)

#1 @TimothyBlynJacobs
10 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Thanks for the ticket @joyously, this is being tracked already in #46748.

Note: See TracTickets for help on using tickets.