[wp-trac] [WordPress Trac] #64541: In GET requests, interfaces containing the `search` parameter can be vulnerable to logic errors triggered by the input `%2500`.

Thu Jan 22 13:57:32 UTC 2026

#64541: In GET requests, interfaces containing the `search` parameter can be
vulnerable to logic errors triggered by the input `%2500`.
--------------------------+-----------------------------
 Reporter:  nefelibata    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  6.9
 Severity:  major         |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The returned result is incorrect.

 === Detailed Interaction Log ===
 Operation ID: GET_/tags

 --- API Operation ---
 Endpoint: /tags
 Method: GET

 --- API Parameters ---
 Path Parameters:
   <none>
 Query Parameters:
   - page =  (type: integer)
   - slug =  (type: string)
   - order =  (type: string)
   - exclude =  (type: array)
   - hide_empty =  (type: boolean)
   - post =  (type: integer)
   - context =  (type: string)
   - per_page = per_page=100 (type: integer)
   - search = search=%2500 (type: string)
   - orderby =  (type: string)
   - include =  (type: array)
 Request Body Parameters:
   <none>

 --- API Request ---
 Headers: Accept: application/json
 Authorization: ██

 Body: <null>

 --- API Response ---
 Status Code: 200
 Headers: Date: Thu, 22 Jan 2026 12:08:04 GMT
 Server: Apache/2.4.62 (Debian)
 X-Powered-By: PHP/8.2.27
 X-Robots-Tag: noindex
 Link: <http://localhost/wp-json/>; rel="https://api.w.org/"
 X-Content-Type-Options: nosniff
 Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
 Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-
 Disposition, Content-MD5, Content-Type
 X-WP-Total: 1
 X-WP-TotalPages: 1
 Allow: GET, POST
 Expires: Wed, 11 Jan 1984 05:00:00 GMT
 Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
 Content-Length: 685
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: application/json; charset=UTF-8

 Body:
 [{"id":259,"count":0,"description":"","link":"http:\/\/localhost\/tag
 \/misconceptions-tetranitromethane-overbears-nanga-n\/","name":"0012
 4819961","slug":"misconceptions-tetranitromethane-overbears-
 nanga-n","taxonomy":"post_tag","meta":[],"_links":{"self":[{"href":"http:\/\/localhost
 \/wp-
 json\/wp\/v2\/tags\/259","targetHints":{"allow":["GET","POST","PUT","PATCH","DELETE"]}}],"collection":[{"href":"http:\/\/localhost
 \/wp-json\/wp\/v2\/tags"}],"about":[{"href":"http:\/\/localhost\/wp-
 json\/wp\/v2\/taxonomies\/post_tag"}],"wp:post_type":[{"href":"http:\/\/localhost
 \/wp-
 json\/wp\/v2\/posts?tags=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}]

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64541>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform