WordPress.org
Get WordPress

Make WordPress Core

Opened 7 weeks ago

Last modified 4 weeks ago

#65124 new defect (bug)

Please include additional data validation in class-IXR-server.php

Reported by: eeeeeeeeeeeee's profile eeeeeeeeeeeee Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: General Keywords: has-patch has-unit-tests
Focuses: php-compatibility Cc:

Description

Line 95 of /wp-includes/IXR/class-IXR-server.php is causing a fatal error, because malicious traffic is posting non-countable $args.

Attachments (1)

65124.patch (1.1 KB) - added by yasirkhalifa 6 weeks ago.
patch file

Download all attachments as: .zip

Change History (7)

#1 @mindctrl
7 weeks ago

  • Keywords needs-patch added
  • Version set to 4.7

#2 @galbaras
6 weeks ago

Here's the error message, just to help people find this ticket:

[23-Apr-2026 14:53:07 UTC] PHP Fatal error:  Uncaught TypeError: count(): Argument #1 ($value) must be of type Countable|array, null given in ROOT/wp-includes/IXR/class-IXR-server.php:95
Stack trace:
#0 ROOT/wp-includes/IXR/class-IXR-server.php(207): IXR_Server->call()
#1 ROOT/wp-includes/IXR/class-IXR-server.php(109): IXR_Server->multiCall()
#2 ROOT/wp-includes/IXR/class-IXR-server.php(59): IXR_Server->call()
#3 ROOT/wp-includes/IXR/class-IXR-server.php(27): IXR_Server->serve()
#4 ROOT/wp-includes/IXR/class-IXR-server.php(35): IXR_Server->__construct()
#5 ROOT/wp-includes/class-wp-xmlrpc-server.php(246): IXR_Server->IXR_Server()
#6 ROOT/xmlrpc.php(85): wp_xmlrpc_server->serve_request()
#7 {main}
  thrown in ROOT/wp-includes/IXR/class-IXR-server.php on line 95

Also, when $args isn't as expected, it will be good to provide some context information to help troubleshoot and protect the site.

Last edited 6 weeks ago by galbaras (previous) (diff)

@yasirkhalifa
6 weeks ago

patch file

#3 @yasirkhalifa
6 weeks ago

  • Keywords has-patch added; needs-patch removed

Adds validation for malformed XML-RPC arguments before count() is called in IXR_Server, preventing fatal errors when non-countable values are received from invalid requests.

This ticket was mentioned in PR #11842 on WordPress/wordpress-develop by @tommusrhodus.
4 weeks ago #4

  • Keywords has-unit-tests added

*AI Description*: Validates the per-call structure inside IXR_Server::multiCall() and returns a spec-compliant fault (-32602) for malformed entries, rather than passing non-array values to IXR_Server::call() where count() would TypeError on PHP 8+. Also adds a defensive guard inside call() mirroring the existing pattern in IXR_IntrospectionServer::call().

*Human Discussion*:

  • Solves a 500 error being thrown in wp-includes/IXR/class-IXR-server.php, likely by malicious traffic.
  • Expands upon the existing patch in 65124 to avoid creating issues downstream by simply checking $args is an array.

Tested locally by creating an XML file with the following content:

<?xml version="1.0"?>
  <methodCall>
    <methodName>system.multicall</methodName>
    <params>
      <param><value><array><data>
        <value><struct>
          <member><name>methodName</name><value><string>system.listMethods</string></value></member>
          <member><name>params</name><value><string>malicious-non-array</string></value></member>
        </struct></value>
      </data></array></value></param>
    </params>
  </methodCall>

and then posting that to the local server:

curl -sS -X POST -H 'Content-Type: text/xml' \
    --data-binary @repro-ixr-multicall.xml \
    http://localhost:8889/xmlrpc.php -o /tmp/resp.xml -w '%{http_code}\n'

The return before this patch:

500
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>500</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>&lt;p&gt;There has been a critical error on this website.&lt;/p&gt;&lt;p&gt;&lt;a href=&quot;https://wordpress.org/documentation/article/faq-troubleshooting/&quot;&gt;Learn more about troubleshooting WordPress.&lt;/a&gt;&lt;/p&gt;</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

The return after this patch:

200
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><struct>
  <member><name>faultCode</name><value><int>-32602</int></value></member>
  <member><name>faultString</name><value><string>server error. invalid method call structure</string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

Trac ticket: https://core.trac.wordpress.org/ticket/65124

## Use of AI Tools

AI assistance: Yes
Tool(s): Claude
Model(s): Opus 4.7
Used for: Initial investigation route and test suggestions; final implementation and tests were reviewed and edited by me.

@tommusrhodus commented on PR #11842:
4 weeks ago #5

Unit test failures seem unrelated and belong to different testing groups.

@tommusrhodus commented on PR #11842:
4 weeks ago #6

Unit test failures seem unrelated and belong to different testing groups.

Note: See TracTickets for help on using tickets.