[wp-trac] [WordPress Trac] #31686: wp_authenticate_username_password() should check for a WP_Error object

WordPress Trac noreply at wordpress.org
Wed Mar 18 16:29:10 UTC 2015

#31686: wp_authenticate_username_password() should check for a WP_Error object
 Reporter:  kwisatz       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
 This is a follow-up to #19714 and #22516

 These were closed, but IMHO, the bug as such is not resolved.
 wp_authenticate_username_password() does only check whether $user is a
 WP_Error object when either password or username are empty:

 75 if ( empty($username) || empty($password) ) {
 76      if ( is_wp_error( $user ) )
 77            return $user;
 78 …

 However, another plugin that hooks into authenticate might pass a WP_Error
 even if $username and $password were provided, but the specific
 authentication mechanism failed.
 The current implementation completely ignores this.

 The result is that users who exist locally can log in using a local,
 possibly older password, bypassing the plugins' additional authentication
 mechanisms completely.

 I'd advocate to check for is_wp_error($user) much earlier in
 wp_authenticate_username_password(), so that the authentication process
 will fail as soon as one "authenticate" filter returns a WP_Error object.

Ticket URL: <https://core.trac.wordpress.org/ticket/31686>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list