PHP Fatal error: Uncaught TypeError: hash_equals(): Argument #1 ($known_string)

Hello AIO Login Team!

We hope this message finds you well.

While testing your login protection feature on compatibility with our plugin, we found an issue in your plugin:

File: /includes/login-controller/class-login-controller.php

Method: wp_authenticate_user

Line #287: if ( wp_check_password( $password, $wp_user->user_pass, $wp_user->ID ) )

Such a call of wp_check_password, without checking on the object type, causes a fatal error in PHP 8.1 when the $wp_user is an instance of the WP_Error class (which is a possible scenario for the wp_authenticate_user hook).

Description: when the $wp_user is instance of the WP_Error class, the second and third arguments passed to wp_check_password are NULL, while WP expects strings, which passes to the hash_equals functions, and it leads to the fatal PHP error.

Error log:

PHP Fatal error: Uncaught TypeError: hash_equals(): Argument #1 ($known_string) must be of type string, null given in /wp-includes/pluggable.php:2577
Stack trace:
0 /wp-includes/pluggable.php(2577): hash_equals(NULL, ‘6b434a9c3342cc1…’)
1 /wp-content/plugins/change-wp-admin-login/includes/login-controller/class-login-controller.php(287): wp_check_password(‘string’, NULL, NULL)

Please include the object type check to make the plugin compatible with others.

Best regards,
The Prosopo Team