PHP Warning raised in pluggable.php when passing NULL instead of a string

[budiony]

The error message is related to the hash_equals(): Expected known_string to be a string, null given in /var/www/../wp-includes/pluggable.php on line 2577

Hackers often pass NULL when attempting to trigger a leaked server warning message while accessing wp-login.php. This can be easily fixed by introducing type checking in pluggable.php:

function wp_check_password( $password, $hash, $user_id = '' ) {
		global $wp_hasher;

		// If the hash is still md5...
		if (is_string($hash) && strlen( $hash ) <= 32 ) {
			$check = hash_equals( $hash, md5( $password ) ); //$hash is the **known_string** and it must be of type string
//The rest of the function

Trac Ticket: Core-59824

## Summary

• This pull request addresses a bug where the hash_equals() function in the wp_check_password() function would throw an error when it received a null value as one of its arguments. This issue occurs when the hash comparison logic inadvertently passes null, causing PHP to raise a TypeError in certain edge cases, especially when a hacker attempts to pass null values in an attack. The fix ensures that both the hash and the plaintext password are properly validated as strings before calling hash_equals() and CheckPassword().

## Changes

• Added type checks before invoking the hash_equals() function to ensure both the $hash and the result of md5($password) are valid strings.

• Similarly, added type checks before calling $wp_hasher->CheckPassword() to ensure both $password and $hash are strings.

• The function now gracefully handles invalid or unexpected input (such as null values) by returning false instead of causing a fatal error.

## Why is this important?

• This change ensures that the wp_check_password() function will:

• Avoid throwing errors when invalid inputs (like null) are provided, especially in cases of malicious requests.

• Improve the robustness of the password-checking process, making it more secure and resilient to unexpected input.

• Provide greater compatibility with PHP versions that support hash_equals() and newer password hashing protocols.

[johnbillion]

@budiony Thanks for the report and sorry nobody got back to you sooner.

There is no code path in WordPress core that allows a null value to be passed to check_password(). Every call to wp_check_password() is preceded with either a guard condition for an empty password or with a string manipulation function that casts a null value to a string.

Do you have a plugin installed on your site that calls check_password() or otherwise deals with authentication or passwords on your site? I suspect that such a plugin (or theme) is the actual root cause of the warning you're seeing on your site.

@debarghyabanerjee Please be more careful with your PRs. Attempting to fix a problem without first being able to reproduce it is not helpful and not a good use of your time or that of people who review the PR. An AI-generated PR summary is fine as long as you verify that everything that is says is accurate, which this is not.

[debarghyabanerjee]

Hi! @johnbillion, sorry, my bad, I didn't check how Core was using this function, I verified the issue by calling the wp_check_password() function by passing null, and I was getting the Error, that's why I raised a PR for it.

Additionally, I wrote the PR description myself, and just used AI to fix it grammatically.

I will be more careful from the next PR. Thanks for mentioning. Really appreciate your valuable feedback, and sorry for the mistake.