diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 2571a3510b..4a68aaae5a 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -2747,15 +2747,19 @@ class wp_xmlrpc_server extends IXR_Server { * @return array|IXR_Error */ public function wp_editPage( $args ) { - // Items not escaped here will be escaped in editPost. - $page_id = (int) $this->escape($args[1]); - $username = $this->escape($args[2]); - $password = $this->escape($args[3]); + // Items will be escaped in mw_editPost. + $page_id = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if ( !$user = $this->login($username, $password) ) + $escaped_username = $this->escape( $username ); + $escaped_password = $this->escape( $password ); + + if ( !$user = $this->login( $escaped_username, $escaped_password ) ) { return $this->error; + } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ do_action( 'xmlrpc_call', 'wp.editPage' );