Opened 4 weeks ago
Last modified 3 weeks ago
#64507 reviewing defect (bug)
Fatal errors can ensue in WP_Query when requests are made with array query vars
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Query | Keywords: | needs-patch |
| Focuses: | Cc: |
Description
Investigating 5XX errors, I see numerous fatal errors triggered because user provided value author_name is not validated to be a string.
(HTTP-provided arguments are strings or arrays)
To reproduce:
curl -g "http://localhost/?author_name[x]=bob"
[15-Jan-2026 10:51:57 UTC] PHP Fatal error: Uncaught TypeError: str_contains(): Argument #1 ($haystack) must be of type string, array given in /var/www/html/wp-includes/class-wp-query.php:2422
Stack trace:
#0 /var/www/html/wp-includes/class-wp-query.php(2422): str_contains()
#1 /var/www/html/wp-includes/class-wp-query.php(3958): WP_Query->get_posts()
#2 /var/www/html/wp-includes/class-wp.php(704): WP_Query->query()
#3 /var/www/html/wp-includes/class-wp.php(824): WP->query_posts()
#4 /var/www/html/wp-includes/functions.php(1343): WP->main()
#5 /var/www/html/wp-blog-header.php(16): wp()
#6 /var/www/html/index.php(17): require('...')
#7 {main}
thrown in /var/www/html/wp-includes/class-wp-query.php on line 2422
Attachments (1)
Change History (7)
#2
@
3 weeks ago
- Milestone changed from Awaiting Review to 7.0
- Owner set to westonruter
- Status changed from new to reviewing
Also relates to #64238, as PHPStan could in the future identify problems like this.
@leedxw Are you aware of the code which is making these malformed requests?
#3
@
3 weeks ago
This came as a result of investigating fatal errors caused by a hack attempts on a website - not legitimate code.
(Some of the patterns indicate the use of the Acunetix testing tool.)
This ticket was mentioned in PR #10792 on WordPress/wordpress-develop by @westonruter.
3 weeks ago
#5
Trac ticket: https://core.trac.wordpress.org/ticket/64507
#6
@
3 weeks ago
- Keywords needs-patch added; has-patch removed
- Milestone changed from 7.0 to Future Release
- Owner westonruter deleted
- Summary changed from Fatal error when author_name is not a string to Fatal errors can ensue in WP_Query when requests are made with array query vars
I opened a PR for the patch and I started iterating on it a bit more to account for other query vars which may erroneously be arrays.
I'm sure there are many more query vars that need to be accounted for to prevent possible fatal errors from bad requests. It seems strange to limit the scope to author_name only when the error could occur for others. So I'll leave this open for other to find more opportunities to harden WP_Query in how the query vars are passed.
patch to check if author_name is a string