[wp-trac] [WordPress Trac] #65144: Passwords: trim() asymmetry between wp_hash_password() and wp_check_password() introduced in 6.8

WordPress Trac noreply at wordpress.org
Tue Apr 28 18:37:22 UTC 2026 

#65144: Passwords: trim() asymmetry between wp_hash_password() and
wp_check_password() introduced in 6.8
--------------------------+-----------------------------
 Reporter:  mkultraware   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  6.8
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 wp_hash_password() and wp_check_password() handle whitespace
 inconsistently in the bcrypt path introduced in 6.8.

 wp_hash_password() (pluggable.php line 2809):
 hash_hmac('sha384', trim($password), 'wp-sha384', true)

 wp_check_password() (pluggable.php line 2858):
 hash_hmac('sha384', $password, 'wp-sha384', true)

 The hashing function trims leading and trailing whitespace before
 hashing. The verification function does not. This means a password
 set with leading or trailing whitespace will hash as the trimmed
 value but verify against the untrimmed value, producing a mismatch
 and locking the user out.

 The default login path (wp_authenticate) trims upstream, so normal
 logins are not affected. However any code that calls wp_check_password()
 directly without prior trimming is broken — this includes plugins,
 REST API handlers, and custom authentication flows.

 A similar issue was fixed in ticket #34889 but did not carry forward
 to the new bcrypt code path added in 6.8.

 Expected behavior: wp_check_password() should trim the password before
 hashing for verification, mirroring wp_hash_password().

 Suggested fix: change line 2858 in pluggable.php from:
 hash_hmac('sha384', $password, 'wp-sha384', true)
 to:
 hash_hmac('sha384', trim($password), 'wp-sha384', true)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65144>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list