Malin
5f91b979eb
- Move elementor_pro/forms/validation hook before is_admin() early return (same AJAX bypass bug as CF7 — Elementor submits to admin-ajax.php) - Add login_head + login_footer hooks so CSS/JS HMAC token loads on wp-login.php (wp_head/footer do not fire on that page) - Add lostpassword_form + woocommerce_lostpassword_form injection hooks - Add authenticate filter (validate_wp_login) for WP native login, guarded to skip WC login and non-form auth calls - Add lostpassword_post action (validate_lost_password) for password reset, covering both WP and WC My Account lost-password forms - Exclude woocommerce-lost-password-nonce from generic catch-all to avoid double-processing WC lost-password submissions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>