WordPress.org
Get WordPress

Make WordPress Core

Opened 13 months ago

Closed 13 months ago

#63434 closed defect (bug) (fixed)

Warning logged if wp-login.php action is given as an array

Reported by: leedxw's profile leedxw Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.9 Priority: normal
Severity: normal Version: 6.8
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description

An attacker has caused a warning to be logged by providing an array for the login action

PHP Warning:  Array to string conversion in /var/www/html/wp-login.php on line 509

To reproduce 

curl -F user_login=x "http://localhost/wp-login.php?action[]=lostpassword"

Suggested patch

--- wp-login.php.dist	2025-05-12 09:44:24.926044462 +0000
+++ wp-login.php	2025-05-12 09:51:03.969310149 +0000
@@ -480,5 +480,5 @@
  */
 
-$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login';
+$action = ( isset( $_REQUEST['action'] ) && is_string ( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : 'login';
 $errors = new WP_Error();

Change History (3)

This ticket was mentioned in PR #8794 on WordPress/wordpress-develop by @dilipbheda.
13 months ago #1

  • Keywords has-patch added

#2 @SergeyBiryukov
13 months ago

  • Milestone changed from Awaiting Review to 6.9

#3 @SergeyBiryukov
13 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 60239:

Login and Registration: Check that action is a string in wp-login.php.

This prevents a PHP warning if an array is passed instead.

Follow-up to [1974], [6643], [6711], [41782], [58023], [58093].

Props leedxw, dilipbheda.
Fixes #63434.

Note: See TracTickets for help on using tickets.