Bug login

  • Andreas

    (@stylingagenten)


    1 year ago

    🐞 Bug Report: PHP TypeError in Login Security Module (Wordfence)

    Hi Wordfence Team,

    We’ve encountered a recurring critical error on our WordPress site related to the Wordfence Login Security module, triggered during user login or registration attempts.

    Error in logs:

    Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, string given in /wp-content/plugins/wordfence/modules/login-security/classes/controller/permissions.php:440

    This error appears multiple times in the log and causes a “There has been a critical error on this website” message to users. It seems the second argument passed to array_key_exists() is unexpectedly a string instead of an array.

    🧪 Context:

    • WordPress 6.x (latest)
    • WooCommerce installed and active
    • No custom login code – using default WooCommerce login/registration
    • Error triggered after repeated login attempts by an existing user (xx_xx@hotmail.com)

    📌 Temporary fix:
    Disabling the Wordfence Login Security module immediately stops the error. However, this is not a sustainable solution due to the security implications.

    Suggestion: Add a type check before calling array_key_exists() to avoid the fatal error:

    if (is_array($permissions) && array_key_exists('some_key', $permissions)) { // ... }

    If you see any other solution, please tell me.

    Best regards,

    Andreas

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    1 year ago

    Hi @stylingagenten, thank-you for your detailed message.

    I haven’t seen array_key_exists() throwing that error on permissions.php before, although previous cases with that file were related to switching a multisite to a regular site. Sometimes array/string errors have been triggered by unexpected data from another plugin so we may need to see a list of those to learn more.

    You can send a diagnostic report to wftest @ wordfence . com by finding the link at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Many thanks,
    Peter.

    Thread Starter Andreas

    (@stylingagenten)

    12 months ago

    Hi Peter,

    Thanks for your reply!

    We’ve done some further investigation based on the error and backtrace. The issue seems to occur only for users that were created before we enabled Multisite, and only on our Multisite-enabled WooCommerce site. Users created after the Multisite setup don’t seem to trigger the issue.

    We queried the wp_usermeta table and confirmed that for affected users, the meta key wordfence_ls_permissions does not exist at all. This causes the $permissions variable in permissions.php to become a null or an empty string, which leads to the fatal error:

    array_key_exists(): Argument #2 ($array) must be of type array, string given

    We believe the bug could be avoided by adding a type check before calling array_key_exists() — e.g. wrapping it with is_array() to avoid assumptions about the data type. This only affects accounts where wordfence_ls_permissions is missing or malformed.

    We’ll go ahead and send you the diagnostic report via email as requested, and will include this forum username, I see that I added @andreas as username

    Thread Starter Andreas

    (@stylingagenten)

    12 months ago

    Hi,

    Here is also the error log:



    2025-04-04T06:04:17+00:00 Critical Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, string given in /[REDACTED_PATH]/wp-content/plugins/wordfence/modules/login-security/classes/controller/permissions.php:440

    Additional context
    {
    "error": {
    "type": 1,
    "file": "/[REDACTED_PATH]/wp-content/plugins/wordfence/modules/login-security/classes/controller/permissions.php",
    "line": 440
    },
    "remote-logging": true,
    "backtrace": [
    "",
    "#0 /[REDACTED_PATH]/wp-content/plugins/wordfence/modules/login-security/classes/controller/permissions.php(440): array_key_exists()",
    "#1 /[REDACTED_PATH]/wp-content/plugins/wordfence/modules/login-security/classes/controller/users.php(195): WordfenceLS\Controller_Permissions->does_user_have_multisite_capability()",
    "#2 /[REDACTED_PATH]/wp-content/plugins/wordfence/modules/login-security/classes/controller/users.php(660): WordfenceLS\Controller_Users->can_activate_2fa()",
    "#3 /[REDACTED_PATH]/wp-includes/class-wp-hook.php(324): WordfenceLS\Controller_Users->_user_row_actions()",
    "#4 /[REDACTED_PATH]/wp-includes/plugin.php(205): WP_Hook->apply_filters()",
    "#5 /[REDACTED_PATH]/wp-admin/includes/class-wp-users-list-table.php(520): apply_filters()",
    "#6 /[REDACTED_PATH]/wp-admin/includes/class-wp-users-list-table.php(415): WP_Users_List_Table->single_row()",
    "#7 /[REDACTED_PATH]/wp-admin/includes/class-wp-list-table.php(1712): WP_Users_List_Table->display_rows()",
    "#8 /[REDACTED_PATH]/wp-admin/includes/class-wp-list-table.php(1639): WP_List_Table->display_rows_or_placeholder()",
    "#9 /[REDACTED_PATH]/wp-admin/users.php(814): WP_List_Table->display()",
    "#10 {main}",
    "thrown"
    ]
    }
Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Bug login’ is closed to new replies.

  • 3 replies
  • 2 participants
  • Last reply from: Andreas
  • Last activity: 12 months ago
  • Status: not resolved