Fatal error on lostpassword if user_login is given as array

[leedxw]

We have logged fatal errors from an attacker sending bad POST requests

PHP Fatal error:  Uncaught TypeError: trim(): Argument #1 ($string) must be of type string, array given in /var/www/html/wp-includes/user.php:3179
Stack trace:
#0 /var/www/html/wp-includes/user.php(3179): trim()
#1 /var/www/html/wp-login.php(839): retrieve_password()
#2 {main}
  thrown in /var/www/html/wp-includes/user.php on line 3179

To reproduce

curl -F user_login[]=x "http://localhost/wp-login.php?action=lostpassword"

Suggested patch

--- user.php.dist	2025-05-12 09:32:16.480168551 +0000
+++ user.php	2025-05-12 09:33:40.890850357 +0000
@@ -3173,5 +3173,5 @@
 
 	// Use the passed $user_login if available, otherwise use $_POST['user_login'].
-	if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
+	if ( ! $user_login && ! empty( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
 		$user_login = $_POST['user_login'];
 	}

[mukesh27]

Hi there!

Thanks for the ticket @leedxw

Could you share from how to get the user_name as array or it's something you just tried with array?

[leedxw]

Sorry, I think put the wrong value in the title - it's user_login.

To test the value as an array, send the value as an array.

curl -F user_login[]=x "http://localhost/wp-login.php?action=lostpassword"

[SergeyBiryukov]

In 60240:

Login and Registration: Check that $_POST value is a string in retrieve_password().

This prevents a fatal error from trim() if an array is passed instead.

Follow-up to [6643], [19056], [41782], [50129], [50140], [59595].

Props leedxw, dilipbheda, mukesh27, SergeyBiryukov.
Fixes #63433.