From 1388689a55a9b87fb03e4eb448bf8a2447d52539 Mon Sep 17 00:00:00 2001
From: Felix Arntz <felix-arntz@leaves-and-love.net>
Date: Mon, 28 Apr 2025 21:12:28 +0000
Subject: [PATCH] Networks and Sites: Sanitize key parameter in
 `wp-activate.php`.

Props khushipatel15.
Fixes #63320.

Built from https://develop.svn.wordpress.org/trunk@60204


git-svn-id: http://core.svn.wordpress.org/trunk@59540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-activate.php         | 4 ++--
 wp-includes/version.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/wp-activate.php b/wp-activate.php
index 5dc602337b..f4fd8d76c3 100644
--- a/wp-activate.php
+++ b/wp-activate.php
@@ -29,9 +29,9 @@ $result = null;
 if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
 	wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
 } elseif ( ! empty( $_GET['key'] ) ) {
-	$key = $_GET['key'];
+	$key = sanitize_text_field( $_GET['key'] );
 } elseif ( ! empty( $_POST['key'] ) ) {
-	$key = $_POST['key'];
+	$key = sanitize_text_field( $_POST['key'] );
 }
 
 if ( $key ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index a455ed50bf..cbc3209f08 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.9-alpha-60203';
+$wp_version = '6.9-alpha-60204';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.