From cfc67c014b969ed18e49ffe54eeb5c1c335601ff Mon Sep 17 00:00:00 2001 From: Christopher Ross Date: Mon, 8 Jun 2026 15:12:13 +0000 Subject: [PATCH 1/2] Fix: add missing sanitize_text_field() on provider input in login_form_validate_2fa() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `login_form_revalidate_2fa()` already applies sanitize_text_field( wp_unslash() ) to the same $_REQUEST['provider'] input at line 1703. The parallel validate handler on line 1563 was missing the sanitize_text_field() wrapper — only wp_unslash() was called. This brings the two handlers in line with each other and with WordPress-VIP-Go coding standards (ValidatedSanitizedInput.InputNotSanitized). The provider value flows into get_provider_for_user() as an array key lookup, so there is no functional exploit path — this is a defensive coding and PHPCS compliance fix. Co-Authored-By: Claude Sonnet 4.6 --- class-two-factor-core.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index d98cbfe6..d43188c8 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -1560,7 +1560,7 @@ public static function rest_api_can_edit_user_and_update_two_factor_options( $us public static function login_form_validate_2fa() { $wp_auth_id = ! empty( $_REQUEST['wp-auth-id'] ) ? absint( $_REQUEST['wp-auth-id'] ) : 0; $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; - $provider = ! empty( $_REQUEST['provider'] ) ? wp_unslash( $_REQUEST['provider'] ) : ''; + $provider = ! empty( $_REQUEST['provider'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['provider'] ) ) : ''; $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? wp_unslash( $_REQUEST['redirect_to'] ) : ''; $is_post_request = ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ); $user = get_user_by( 'id', $wp_auth_id ); From 0bf501d439c5ebf14a13462ab77065f54411f101 Mon Sep 17 00:00:00 2001 From: Christopher Ross <122108986+thisismyurl@users.noreply.github.com> Date: Thu, 11 Jun 2026 10:01:59 -0400 Subject: [PATCH 2/2] fix: sanitize provider as class-name identifier, not free-form text --- class-two-factor-core.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index d43188c8..209dbbe1 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -1560,7 +1560,7 @@ public static function rest_api_can_edit_user_and_update_two_factor_options( $us public static function login_form_validate_2fa() { $wp_auth_id = ! empty( $_REQUEST['wp-auth-id'] ) ? absint( $_REQUEST['wp-auth-id'] ) : 0; $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; - $provider = ! empty( $_REQUEST['provider'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['provider'] ) ) : ''; + $provider = ! empty( $_REQUEST['provider'] ) ? preg_replace( '/[^a-zA-Z0-9_]/', '', wp_unslash( $_REQUEST['provider'] ) ) : ''; $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? wp_unslash( $_REQUEST['redirect_to'] ) : ''; $is_post_request = ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) ); $user = get_user_by( 'id', $wp_auth_id ); @@ -1700,7 +1700,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider = */ public static function login_form_revalidate_2fa() { $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; - $provider = ! empty( $_REQUEST['provider'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['provider'] ) ) : false; + $provider = ! empty( $_REQUEST['provider'] ) ? preg_replace( '/[^a-zA-Z0-9_]/', '', wp_unslash( $_REQUEST['provider'] ) ) : false; $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? wp_unslash( $_REQUEST['redirect_to'] ) : admin_url(); $is_post_request = ( 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ) );