Fix: Apply wp_slash() to admin password in wp core install (#311)

Copilot · swissspidy · web-flow · commit eef5fff75f88 · 2026-03-04T12:40:44.000+01:00
* Initial plan * Fix: Apply wp_slash() to admin password in wp core install Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com> * Apply suggestion from @swissspidy * PHPStan fix --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com> Co-authored-by: Pascal Birchler <pascalb@google.com>
diff --git a/features/core-install.feature b/features/core-install.feature
@@ -177,6 +177,22 @@ Feature: Install WordPress core
       """
     And the return code should be 0
 
+  Scenario: Install WordPress with special characters in the admin password
+    Given an empty directory
+    And WP files
+    And wp-config.php
+    And a database
+
+    When I run `wp core install --url=localhost:8001 --title=Test --admin_user=wpcli --admin_email=wpcli@example.org --admin_password='R^^CzY;G"iZ@]H9b,' --skip-email`
+    Then STDOUT should contain:
+      """
+      Success: WordPress installed successfully.
+      """
+    And the return code should be 0
+
+    When I run `wp user check-password wpcli 'R^^CzY;G"iZ@]H9b,' --escape-chars`
+    Then the return code should be 0
+
   # This test downgrades to an older WordPress version, but the SQLite plugin requires 6.0+
   @require-mysql
   Scenario: Install WordPress with locale set to de_DE on WP >= 4.0
diff --git a/src/Core_Command.php b/src/Core_Command.php
@@ -704,12 +704,16 @@ function wp_new_blog_notification() {
 		}
 
 		$public   = true;
-		$password = $args['admin_password'];
+		$password = wp_slash( $args['admin_password'] );
 
 		if ( ! is_email( $args['admin_email'] ) ) {
 			WP_CLI::error( "The '{$args['admin_email']}' email address is invalid." );
 		}
 
+		/**
+		 * @var string $password
+		 */
+
 		$result = wp_install(
 			$args['title'],
 			$args['admin_user'],
