[wp-trac] [WordPress Trac] #64541: In GET requests, interfaces containing the `search` parameter can be vulnerable to logic errors triggered by the input `%2500`.

WordPress Trac noreply at wordpress.org
Thu Jan 22 15:24:01 UTC 2026 

#64541: In GET requests, interfaces containing the `search` parameter can be
vulnerable to logic errors triggered by the input `%2500`.
--------------------------+------------------------------
 Reporter:  nefelibata    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  6.9
 Severity:  major         |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by sabernhardt:

Old description:

> The returned result is incorrect.
>
> === Detailed Interaction Log ===
> Operation ID: GET_/tags
>
> --- API Operation ---
> Endpoint: /tags
> Method: GET
>
> --- API Parameters ---
> Path Parameters:
>   <none>
> Query Parameters:
>   - page =  (type: integer)
>   - slug =  (type: string)
>   - order =  (type: string)
>   - exclude =  (type: array)
>   - hide_empty =  (type: boolean)
>   - post =  (type: integer)
>   - context =  (type: string)
>   - per_page = per_page=100 (type: integer)
>   - search = search=%2500 (type: string)
>   - orderby =  (type: string)
>   - include =  (type: array)
> Request Body Parameters:
>   <none>
>
> --- API Request ---
> Headers: Accept: application/json
> Authorization: ██
>
> Body: <null>
>
> --- API Response ---
> Status Code: 200
> Headers: Date: Thu, 22 Jan 2026 12:08:04 GMT
> Server: Apache/2.4.62 (Debian)
> X-Powered-By: PHP/8.2.27
> X-Robots-Tag: noindex
> Link: <http://localhost/wp-json/>; rel="https://api.w.org/"
> X-Content-Type-Options: nosniff
> Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
> Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-
> Disposition, Content-MD5, Content-Type
> X-WP-Total: 1
> X-WP-TotalPages: 1
> Allow: GET, POST
> Expires: Wed, 11 Jan 1984 05:00:00 GMT
> Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
> Content-Length: 685
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: application/json; charset=UTF-8
>
> Body:
> [{"id":259,"count":0,"description":"","link":"http:\/\/localhost\/tag
> \/misconceptions-tetranitromethane-overbears-nanga-n\/","name":"0012
> 4819961","slug":"misconceptions-tetranitromethane-overbears-
> nanga-n","taxonomy":"post_tag","meta":[],"_links":{"self":[{"href":"http:\/\/localhost
> \/wp-
> json\/wp\/v2\/tags\/259","targetHints":{"allow":["GET","POST","PUT","PATCH","DELETE"]}}],"collection":[{"href":"http:\/\/localhost
> \/wp-json\/wp\/v2\/tags"}],"about":[{"href":"http:\/\/localhost\/wp-
> json\/wp\/v2\/taxonomies\/post_tag"}],"wp:post_type":[{"href":"http:\/\/localhost
> \/wp-
> json\/wp\/v2\/posts?tags=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}]

New description:

 The returned result is incorrect.

 === Detailed Interaction Log ===
 {{{
 Operation ID: GET_/tags

 --- API Operation ---
 Endpoint: /tags
 Method: GET

 --- API Parameters ---
 Path Parameters:
   <none>
 Query Parameters:
   - page =  (type: integer)
   - slug =  (type: string)
   - order =  (type: string)
   - exclude =  (type: array)
   - hide_empty =  (type: boolean)
   - post =  (type: integer)
   - context =  (type: string)
   - per_page = per_page=100 (type: integer)
   - search = search=%2500 (type: string)
   - orderby =  (type: string)
   - include =  (type: array)
 Request Body Parameters:
   <none>

 --- API Request ---
 Headers: Accept: application/json
 Authorization: ██

 Body: <null>

 --- API Response ---
 Status Code: 200
 Headers: Date: Thu, 22 Jan 2026 12:08:04 GMT
 Server: Apache/2.4.62 (Debian)
 X-Powered-By: PHP/8.2.27
 X-Robots-Tag: noindex
 Link: <http://localhost/wp-json/>; rel="https://api.w.org/"
 X-Content-Type-Options: nosniff
 Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
 Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-
 Disposition, Content-MD5, Content-Type
 X-WP-Total: 1
 X-WP-TotalPages: 1
 Allow: GET, POST
 Expires: Wed, 11 Jan 1984 05:00:00 GMT
 Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
 Content-Length: 685
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: application/json; charset=UTF-8

 Body:
 [{"id":259,"count":0,"description":"","link":"http:\/\/localhost\/tag
 \/misconceptions-tetranitromethane-overbears-nanga-n\/","name":"0012
 4819961","slug":"misconceptions-tetranitromethane-overbears-
 nanga-n","taxonomy":"post_tag","meta":[],"_links":{"self":[{"href":"http:\/\/localhost
 \/wp-
 json\/wp\/v2\/tags\/259","targetHints":{"allow":["GET","POST","PUT","PATCH","DELETE"]}}],"collection":[{"href":"http:\/\/localhost
 \/wp-json\/wp\/v2\/tags"}],"about":[{"href":"http:\/\/localhost\/wp-
 json\/wp\/v2\/taxonomies\/post_tag"}],"wp:post_type":[{"href":"http:\/\/localhost
 \/wp-
 json\/wp\/v2\/posts?tags=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}]
 }}}

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64541#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list