From 83076eee8de9321669db2f8d47076f290b2e9b7a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 17:41:47 +0000
Subject: [PATCH] Output without escaping for dynamic link text #65090

---
 src/wp-login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-login.php b/src/wp-login.php
index 60d9c21f3ddf1..3d4cba3719583 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -231,7 +231,7 @@ function login_header( $title = null, $message = '', $wp_error = null ) {
 	$message = apply_filters( 'login_message', $message );
 
 	if ( ! empty( $message ) ) {
-		echo $message . "\n";
+		echo wp_kses_post( $message ) . "\n";
 	}
 
 	// In case a plugin uses $error rather than the $wp_errors object.