Description
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Remediation
References
Related Vulnerabilities
WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.14)
WordPress Plugin WooCommerce Cross-Site Scripting (2.0.12)
WordPress Plugin Custom Login Page Customizer-LoginPress Multiple Vulnerabilities (1.1.13)
ownCloud Improper Input Validation Vulnerability (CVE-2012-5336)
WordPress Plugin Import Woocommerce Cross-Site Scripting (1.0.1)