diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/blocks/legacy-widget.php
--- a/wp/wp-includes/blocks/legacy-widget.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/blocks/legacy-widget.php	Fri Sep 05 18:40:08 2025 +0200
@@ -8,6 +8,10 @@
 /**
  * Renders the 'core/legacy-widget' block.
  *
+ * @since 5.8.0
+ *
+ * @global int $wp_widget_factory.
+ *
  * @param array $attributes The block attributes.
  *
  * @return string Rendered block.
@@ -34,7 +38,7 @@
 
 	if ( isset( $attributes['instance']['encoded'], $attributes['instance']['hash'] ) ) {
 		$serialized_instance = base64_decode( $attributes['instance']['encoded'] );
-		if ( wp_hash( $serialized_instance ) !== $attributes['instance']['hash'] ) {
+		if ( ! hash_equals( wp_hash( $serialized_instance ), (string) $attributes['instance']['hash'] ) ) {
 			return '';
 		}
 		$instance = unserialize( $serialized_instance );
@@ -54,6 +58,8 @@
 
 /**
  * Registers the 'core/legacy-widget' block.
+ *
+ * @since 5.8.0
  */
 function register_block_core_legacy_widget() {
 	register_block_type_from_metadata(
@@ -70,6 +76,8 @@
  * Intercepts any request with legacy-widget-preview in the query param and, if
  * set, renders a page containing a preview of the requested Legacy Widget
  * block.
+ *
+ * @since 5.8.0
  */
 function handle_legacy_widget_preview_iframe() {
 	if ( empty( $_GET['legacy-widget-preview'] ) ) {