From 87e647a6a06a4d8e35f0dbabfe7b69a38bc77499 Mon Sep 17 00:00:00 2001
From: StalkR <stalkr@stalkr.net>
Date: Wed, 14 May 2025 15:09:34 +0200
Subject: [PATCH] lib/Crypto/Phpass: support new hashes of wordpress 6.8

Signed-off-by: StalkR <stalkr@stalkr.net>
---
 lib/Crypto/Phpass.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/Crypto/Phpass.php b/lib/Crypto/Phpass.php
index 4b117a9..493114e 100644
--- a/lib/Crypto/Phpass.php
+++ b/lib/Crypto/Phpass.php
@@ -53,6 +53,12 @@ public function __construct(IL10N $localization, $iterationCount = 8)
      */
     public function checkPassword($password, $dbHash, $salt = null)
     {
+        // WordPress 6.8 upgraded password hashing for bcrypt
+        // https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/
+        if (str_starts_with( $dbHash, '$wp' )) {
+            $password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
+            return password_verify( $password_to_verify, substr( $dbHash, 3 ) );
+        }
         return hash_equals($dbHash, $this->crypt($password, $dbHash));
     }