Array should not be passed to get_page_by_path()

[leedxw]

We have been logging the following, as a result of an unauthorised vulnerability scan on a site we host:

PHP Warning:  urldecode() expects parameter 1 to be string, array given in /var/www/html/wp-includes/post.php on line 6033

This occurs when an array is being passed to get_page_by_path()

I was able to reproduce using

curl -g "http://localhost/?year[1]=1"

This specific instance occurred in wp_resolve_numeric_slug_conflicts() where user-supplied values of "month" "year" etc, are passed to get_page_by_path()

[leedxw]

Patch to rewrite.php to check for array

[sukhendu2002]

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

• WordPress: 6.7.1
• PHP: 8.2.27
• Server: nginx/1.27.3
• Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.27)
• Browser: Chrome 131.0.0.0
• OS: macOS
• Theme: Twenty Twenty-Five 1.0
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Error condition occurs (reproduced).

Additional Notes

I am able to reproduce the issue in WordPress 6.7.1; however, I am not able to reproduce it in the trunk.

[sainathpoojary]

I can confirm that the "Warning: Array to string conversion" warning is occurring in WordPress 6.7.1, when an array is passed to get_page_by_path(). However, this issue does not happen in the current trunk version.

WordPress 6.7.1:

Trunk:

[abcd95]

Hey @leedxw, Thanks for bringing this up.

As mentioned in the above two comments, the warning is visible in 6.7.1 and not on the trunk. So I upgraded to the nightly build, and I was able to see the warning there too.

And the patch works fine fixing the warning. However, it would be better to further sanitize the variable to make sure it is a string passed.