Opened 6 hours ago
Last modified 6 hours ago
#65536 new defect (bug)
XML-RPC: Argument mismatch in _multisite_getUsersBlogs
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | trunk |
| Component: | XML-RPC | Keywords: | has-patch has-unit-tests |
| Focuses: | multisite | Cc: |
Description
When blogger_getUsersBlogs is called, it receives 3 arguments as documented: array( blog_id, username, password ). If the environment is multi-site, it delegates to the protected helper method _multisite_getUsersBlogs( $args ).
_multisite_getUsersBlogs() then passes these arguments directly to wp_getUsersBlogs( $args ) without removing the unused blog_id. However, wp_getUsersBlogs() expects an array with only 2 arguments: array( username, password ). Because the blog_id is still at index 0, wp_getUsersBlogs() mistakenly attempts to authenticate using the blog_id as the $username, and the username as the $password. This naturally triggers an authentication failure.
Environment
- WordPress: 7.1-alpha-62161-src
- Subdirectory: No
- PHP: 8.3.30
- Server: nginx/1.31.1
- Database: mysqli (Server: 8.4.9 / Client: mysqlnd 8.3.30)
- Browser: Chrome 149.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.5
- MU Plugins: None
- Plugins: None
Expected Results
- ✅ The method should successfully authenticate the user and return an array containing the user's blogs, properly stripped of the
blog_idparameter.
Actual Results
- ❌ The method fails authentication because it tries to use the
blog_idas the username.
Supplemental Artifacts
Change History (1)
This ticket was mentioned in PR #12309 on WordPress/wordpress-develop by @sainathpoojary.
6 hours ago
#1
- Keywords has-patch has-unit-tests added
Trac ticket: #65536