From 12e25612343e694b9e210f9a37623c51856f9782 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 17:39:14 +0000
Subject: [PATCH] Output without escaping for dynamic link text #65090

---
 src/wp-login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-login.php b/src/wp-login.php
index abedea82c3589..4bb1b4c40b78c 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -231,7 +231,7 @@ function login_header( $title = null, $message = '', $wp_error = null ) {
 	$message = apply_filters( 'login_message', $message );
 
 	if ( ! empty( $message ) ) {
-		echo $message . "\n";
+		echo wp_kses_post( $message ) . "\n";
 	}
 
 	// In case a plugin uses $error rather than the $wp_errors object.