Skip to content

Persist third-party plugin $_POST fields across the 2FA login screen (Fixes #705)#925

Open
chetanupare wants to merge 2 commits into
WordPress:masterfrom
chetanupare:issue-705-persist-post-fields
Open

Persist third-party plugin $_POST fields across the 2FA login screen (Fixes #705)#925
chetanupare wants to merge 2 commits into
WordPress:masterfrom
chetanupare:issue-705-persist-post-fields

Conversation

@chetanupare

@chetanupare chetanupare commented Jul 6, 2026

Copy link
Copy Markdown

What?

This PR ensures that custom $_POST fields injected by third-party plugins (e.g., JavaScript detection flags, custom checkboxes) into the WordPress login form are preserved when the Two-Factor plugin interrupts the login flow to display its 2FA challenge.

Fixes #705

Why?

Currently, when a user successfully passes the initial username/password check, Two-Factor renders the login_html() interstitial form. In doing so, it drops any non-standard $_POST variables submitted from the original wp-login.php form. When the user eventually submits their 2FA code, plugins that rely on $_POST (for instance, during the attach_session_information hook) fail to find their data.

How?

A new recursive method Two_Factor_Core::print_custom_post_fields() has been added.

  1. It iterates over $_POST and outputs hidden elements for each field.
  2. It uses a rigorous blocklist to prevent echoing standard WordPress core fields (like log, wp-submit, _wpnonce, etc.), Two-Factor specific fields, and most importantly, passwords (pwd, password, user_pass). This ensures absolute security so that plaintext passwords are never inadvertently written to the HTML source code.
  3. Unit tests have been added to verify that custom fields (including nested arrays) are properly passed through, and that sensitive fields are rigorously blocked.

Use of AI Tools

AI assistance: No

Testing Instructions

  1. Install and activate a plugin that adds a custom field to the WP login form (e.g., nocache-bfcache from the issue, or write a simple mu-plugin that adds an using the login_form hook).
  2. Attempt to log in with an account that has Two-Factor enabled.
  3. On the 2FA interstitial screen, inspect the HTML source code.
  4. Verify that the custom field (my_custom_field) is present as a hidden input.
  5. Verify that sensitive fields (like pwd, password, user_pass, log, etc.) are absolutely not present in the hidden inputs.
  6. Verify that standard authentication still works normally.

Changelog Entry

Fixed - Preserve custom third-party $_POST variables during the 2FA login challenge.

Open WordPress Playground Preview

This hook allows third-party plugins to easily trigger a 2FA re-authentication flow for sensitive actions. Fixes WordPress#644.
This safely copies unknown  variables into hidden fields on the 2FA interstitial screen, ensuring third-party login forms function properly without leaking standard WordPress fields or plaintext passwords.
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: chetanupare <chetanupare@git.wordpress.org>
Co-authored-by: dd32 <dd32@git.wordpress.org>
Co-authored-by: westonruter <westonruter@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Custom login form input fields dropped during two-factor challenge

1 participant