diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/class-wp-recovery-mode-cookie-service.php
--- a/wp/wp-includes/class-wp-recovery-mode-cookie-service.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/class-wp-recovery-mode-cookie-service.php	Fri Sep 05 18:40:08 2025 +0200
@@ -11,6 +11,7 @@
  *
  * @since 5.2.0
  */
+#[AllowDynamicProperties]
 final class WP_Recovery_Mode_Cookie_Service {
 
 	/**
@@ -197,7 +198,19 @@
 	 * @return string|false The hashed $data, or false on failure.
 	 */
 	private function recovery_mode_hash( $data ) {
-		if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === 'put your unique phrase here' ) {
+		$default_keys = array_unique(
+			array(
+				'put your unique phrase here',
+				/*
+				 * translators: This string should only be translated if wp-config-sample.php is localized.
+				 * You can check the localized release package or
+				 * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
+				 */
+				__( 'put your unique phrase here' ),
+			)
+		);
+
+		if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) {
 			$auth_key = get_site_option( 'recovery_mode_auth_key' );
 
 			if ( ! $auth_key ) {
@@ -212,7 +225,7 @@
 			$auth_key = AUTH_KEY;
 		}
 
-		if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) {
+		if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) {
 			$auth_salt = get_site_option( 'recovery_mode_auth_salt' );
 
 			if ( ! $auth_salt ) {