[wp-trac] [WordPress Trac] #63433: Fatal error on lostpassword if user_name is given as array
WordPress Trac
noreply at wordpress.org
Mon May 12 09:35:15 UTC 2025
#63433: Fatal error on lostpassword if user_name is given as array
------------------------------------+-----------------------------
Reporter: leedxw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.8
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
We have logged fatal errors from an attacker sending bad POST requests
{{{
PHP Fatal error: Uncaught TypeError: trim(): Argument #1 ($string) must
be of type string, array given in /var/www/html/wp-includes/user.php:3179
Stack trace:
#0 /var/www/html/wp-includes/user.php(3179): trim()
#1 /var/www/html/wp-login.php(839): retrieve_password()
#2 {main}
thrown in /var/www/html/wp-includes/user.php on line 3179
}}}
To reproduce
{{{
curl -F user_login[]=x "http://localhost/wp-login.php?action=lostpassword"
}}}
Suggested patch
{{{
--- user.php.dist 2025-05-12 09:32:16.480168551 +0000
+++ user.php 2025-05-12 09:33:40.890850357 +0000
@@ -3173,5 +3173,5 @@
// Use the passed $user_login if available, otherwise use
$_POST['user_login'].
- if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
+ if ( ! $user_login && ! empty( $_POST['user_login'] ) &&
is_string( $_POST['user_login'] ) ) {
$user_login = $_POST['user_login'];
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63433>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list