Persist third-party plugin $_POST fields across the 2FA login screen (Fixes #705)#925
Open
chetanupare wants to merge 2 commits into
Open
Persist third-party plugin $_POST fields across the 2FA login screen (Fixes #705)#925chetanupare wants to merge 2 commits into
chetanupare wants to merge 2 commits into
Conversation
This hook allows third-party plugins to easily trigger a 2FA re-authentication flow for sensitive actions. Fixes WordPress#644.
This safely copies unknown variables into hidden fields on the 2FA interstitial screen, ensuring third-party login forms function properly without leaking standard WordPress fields or plaintext passwords.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
This PR ensures that custom $_POST fields injected by third-party plugins (e.g., JavaScript detection flags, custom checkboxes) into the WordPress login form are preserved when the Two-Factor plugin interrupts the login flow to display its 2FA challenge.
Fixes #705
Why?
Currently, when a user successfully passes the initial username/password check, Two-Factor renders the login_html() interstitial form. In doing so, it drops any non-standard $_POST variables submitted from the original wp-login.php form. When the user eventually submits their 2FA code, plugins that rely on $_POST (for instance, during the attach_session_information hook) fail to find their data.
How?
A new recursive method Two_Factor_Core::print_custom_post_fields() has been added.
Use of AI Tools
AI assistance: No
Testing Instructions
Changelog Entry
Fixed - Preserve custom third-party $_POST variables during the 2FA login challenge.