Make WordPress Core

Opened 7 months ago

Last modified 6 months ago

#59373 new defect (bug)

TypeError: str_contains() argument must be of type string, array given in wp-login.php

Reported by: timotijhof's profile TimoTijhof Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3.1
Component: Login and Registration Keywords:
Focuses: php-compatibility Cc:


This seems to affect PHP 8.0 and higher.

Downstream report at

Seems to be an upstream issue where a $_GET or $_REQUEST key is checked for existence but not for type, thus prone to misuse when crafting query parameters in the array-form that PHP supports.

Easily reproduced, for example, at:

Change History (1)

#1 @TimoTijhof
6 months ago

I have a patch at

I've pinged this ticket three different ways, but I'm not seeing anything show up here as is implied by the above notice and the handbook at

The patch has a failing build due to End-to-end and Performance tests being flaky. I've re-run them a few times and they both pass at different times but not at the same time. I'm guessing that's common enough that it won't hinder the likelihood of code review, so I'll sit back and wait :)

Note: See TracTickets for help on using tickets.