Fix #53348: Add isset() checks and else fallback for checkemail in wp-login.php

[Vedanshmini26]

Core Trac: https://core.trac.wordpress.org/ticket/53348

Problem

Visiting wp-login.php with certain query strings results in a blank page instead of the login form. The affected URLs are:

wp-login.php?action=checkemail
wp-login.php?checkemail=foo (any value other than confirm or registered)
Additionally, visiting wp-login.php?action=checkemail triggers two PHP notices:

Notice: Undefined index: checkemail in wp-login.php on line 1217
Notice: Undefined index: checkemail in wp-login.php on line 1227

Root Cause

In the checkemail switch case, $_GET['checkemail'] was accessed directly without an isset() check. When checkemail is not present in the query string (e.g. ?action=checkemail), PHP fires an "Undefined index" notice for both the if and elseif comparisons.

Furthermore, there was no else fallback for unexpected or missing checkemail values. When neither 'confirm' nor 'registered' matched, the code called login_header() and login_footer() with an empty $errors object — rendering a page with no content, no form, and no message.

Solution

Two targeted changes inside the checkemail switch case in src/wp-login.php:

Added isset() guards before each $_GET['checkemail'] comparison to eliminate the PHP notices:

if ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) {

} elseif ( isset( $_GET['checkemail'] ) && 'registered' === $_GET['checkemail'] ) {
Added an else fallback that redirects to the login URL for all unexpected or missing checkemail values:

} else {
wp_redirect( wp_login_url() );
exit;
}
This is consistent with existing behaviour — when an unrecognised ?action= value is supplied, WordPress falls back to the login form (line 509–510). No user-supplied input is used in the redirect, so there is no open redirect vulnerability.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props sheldorofazeroth.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.