diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-trackback.php
--- a/wp/wp-trackback.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-trackback.php	Fri Sep 05 18:40:08 2025 +0200
@@ -13,6 +13,9 @@
 	wp( array( 'tb' => '1' ) );
 }
 
+// Always run as an unauthenticated user.
+wp_set_current_user( 0 );
+
 /**
  * Response to a trackback.
  *
@@ -22,10 +25,11 @@
  *
  * @param int|bool $error         Whether there was an error.
  *                                Default '0'. Accepts '0' or '1', true or false.
- * @param string   $error_message Error message if an error occurred.
+ * @param string   $error_message Error message if an error occurred. Default empty string.
  */
 function trackback_response( $error = 0, $error_message = '' ) {
 	header( 'Content-Type: text/xml; charset=' . get_option( 'blog_charset' ) );
+
 	if ( $error ) {
 		echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
 		echo "<response>\n";
@@ -41,16 +45,13 @@
 	}
 }
 
-// Trackback is done by a POST.
-$request_array = 'HTTP_POST_VARS';
-
 if ( ! isset( $_GET['tb_id'] ) || ! $_GET['tb_id'] ) {
-	$tb_id = explode( '/', $_SERVER['REQUEST_URI'] );
-	$tb_id = (int) $tb_id[ count( $tb_id ) - 1 ];
+	$post_id = explode( '/', $_SERVER['REQUEST_URI'] );
+	$post_id = (int) $post_id[ count( $post_id ) - 1 ];
 }
 
-$tb_url  = isset( $_POST['url'] ) ? $_POST['url'] : '';
-$charset = isset( $_POST['charset'] ) ? $_POST['charset'] : '';
+$trackback_url = isset( $_POST['url'] ) ? $_POST['url'] : '';
+$charset       = isset( $_POST['charset'] ) ? $_POST['charset'] : '';
 
 // These three are stripslashed here so they can be properly escaped after mb_convert_encoding().
 $title     = isset( $_POST['title'] ) ? wp_unslash( $_POST['title'] ) : '';
@@ -64,7 +65,7 @@
 }
 
 // No valid uses for UTF-7.
-if ( false !== strpos( $charset, 'UTF-7' ) ) {
+if ( str_contains( $charset, 'UTF-7' ) ) {
 	die;
 }
 
@@ -75,62 +76,79 @@
 	$blog_name = mb_convert_encoding( $blog_name, get_option( 'blog_charset' ), $charset );
 }
 
-// Now that mb_convert_encoding() has been given a swing, we need to escape these three.
+// Escape values to use in the trackback.
 $title     = wp_slash( $title );
 $excerpt   = wp_slash( $excerpt );
 $blog_name = wp_slash( $blog_name );
 
 if ( is_single() || is_page() ) {
-	$tb_id = $posts[0]->ID;
+	$post_id = $posts[0]->ID;
 }
 
-if ( ! isset( $tb_id ) || ! (int) $tb_id ) {
+if ( ! isset( $post_id ) || ! (int) $post_id ) {
 	trackback_response( 1, __( 'I really need an ID for this to work.' ) );
 }
 
-if ( empty( $title ) && empty( $tb_url ) && empty( $blog_name ) ) {
+if ( empty( $title ) && empty( $trackback_url ) && empty( $blog_name ) ) {
 	// If it doesn't look like a trackback at all.
-	wp_redirect( get_permalink( $tb_id ) );
+	wp_redirect( get_permalink( $post_id ) );
 	exit;
 }
 
-if ( ! empty( $tb_url ) && ! empty( $title ) ) {
+if ( ! empty( $trackback_url ) && ! empty( $title ) ) {
 	/**
 	 * Fires before the trackback is added to a post.
 	 *
 	 * @since 4.7.0
 	 *
-	 * @param int    $tb_id     Post ID related to the trackback.
-	 * @param string $tb_url    Trackback URL.
-	 * @param string $charset   Character Set.
-	 * @param string $title     Trackback Title.
-	 * @param string $excerpt   Trackback Excerpt.
-	 * @param string $blog_name Blog Name.
+	 * @param int    $post_id       Post ID related to the trackback.
+	 * @param string $trackback_url Trackback URL.
+	 * @param string $charset       Character set.
+	 * @param string $title         Trackback title.
+	 * @param string $excerpt       Trackback excerpt.
+	 * @param string $blog_name     Site name.
 	 */
-	do_action( 'pre_trackback_post', $tb_id, $tb_url, $charset, $title, $excerpt, $blog_name );
+	do_action( 'pre_trackback_post', $post_id, $trackback_url, $charset, $title, $excerpt, $blog_name );
 
 	header( 'Content-Type: text/xml; charset=' . get_option( 'blog_charset' ) );
 
-	if ( ! pings_open( $tb_id ) ) {
+	if ( ! pings_open( $post_id ) ) {
 		trackback_response( 1, __( 'Sorry, trackbacks are closed for this item.' ) );
 	}
 
 	$title   = wp_html_excerpt( $title, 250, '&#8230;' );
 	$excerpt = wp_html_excerpt( $excerpt, 252, '&#8230;' );
 
-	$comment_post_ID      = (int) $tb_id;
+	$comment_post_id      = (int) $post_id;
 	$comment_author       = $blog_name;
 	$comment_author_email = '';
-	$comment_author_url   = $tb_url;
+	$comment_author_url   = $trackback_url;
 	$comment_content      = "<strong>$title</strong>\n\n$excerpt";
 	$comment_type         = 'trackback';
 
-	$dupe = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $comment_post_ID, $comment_author_url ) );
+	$dupe = $wpdb->get_results(
+		$wpdb->prepare(
+			"SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s",
+			$comment_post_id,
+			$comment_author_url
+		)
+	);
+
 	if ( $dupe ) {
 		trackback_response( 1, __( 'There is already a ping from that URL for this post.' ) );
 	}
 
-	$commentdata = compact( 'comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type' );
+	$commentdata = array(
+		'comment_post_ID' => $comment_post_id,
+	);
+
+	$commentdata += compact(
+		'comment_author',
+		'comment_author_email',
+		'comment_author_url',
+		'comment_content',
+		'comment_type'
+	);
 
 	$result = wp_new_comment( $commentdata );
 
@@ -148,5 +166,6 @@
 	 * @param int $trackback_id Trackback ID.
 	 */
 	do_action( 'trackback_post', $trackback_id );
+
 	trackback_response( 0 );
 }