From dd91216002bba136884e5e37748a90dfa9d7a1a7 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Mon, 17 Oct 2022 12:59:05 +1000 Subject: [PATCH 1/2] Pass a WP_Error object to the `wp_login_failed` filter. --- class-two-factor-core.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index 28a12b23..beb6429f 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -855,7 +855,7 @@ public static function login_form_validate_2fa() { // Ask the provider to verify the second factor. if ( true !== $provider->validate_authentication( $user ) ) { - do_action( 'wp_login_failed', $user->user_login ); + do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', esc_html__( 'ERROR: Invalid verification code.', 'two-factor' ) ) ); $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) { From 8aa3d78dc6e4d952f8e6baa0ab5480dd2ac7d10e Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Mon, 17 Oct 2022 14:13:38 +1000 Subject: [PATCH 2/2] Don't escape the translation when passing it to WP_Error to avoid potential double-escapes. --- class-two-factor-core.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index beb6429f..312b34be 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -855,7 +855,7 @@ public static function login_form_validate_2fa() { // Ask the provider to verify the second factor. if ( true !== $provider->validate_authentication( $user ) ) { - do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', esc_html__( 'ERROR: Invalid verification code.', 'two-factor' ) ) ); + do_action( 'wp_login_failed', $user->user_login, new WP_Error( 'two_factor_invalid', __( 'ERROR: Invalid verification code.', 'two-factor' ) ) ); $login_nonce = self::create_login_nonce( $user->ID ); if ( ! $login_nonce ) {