Skip to content

Security enhancements #20

New issue
New issue
Open
#21
Open
Security enhancements#20
#21
Assignees
aristathilicfilip
Labels
bugSomething isn't working
@mathetos

Description

@mathetos
mathetos
opened on Feb 17, 2026
  • I've read and understood the contribution guidelines.
  • I've searched for any related issues and avoided creating a duplicate issue.

Please give us a description of what happened

The plugin uses wp_redirect() with user-influenced URLs, parse_url() instead of wp_parse_url(), and unsanitized $_SERVER['REQUEST_URI'] and $_SERVER['HTTP_ACCEPT']. That can introduce an open redirect risk, inconsistent behavior across PHP versions, and potential misuse of untrusted input.

To Reproduce

Step-by-step reproduction instructions

  1. Install and activate the plugin.
  2. Visit a .md URL or trigger the Accept header negotiation path.
  3. Observe that redirects and URL handling rely on wp_redirect(), parse_url(), and raw $_SERVER values without sanitization.

Expected results

  1. Redirects use wp_safe_redirect() to avoid open redirects.
  2. URL parsing uses wp_parse_url() for consistency across PHP versions.
  3. Input from $_SERVER is sanitized with wp_unslash() and sanitize_text_field() (or equivalent).
  4. URLs built from user input use esc_url_raw() where appropriate.

Actual results

  1. wp_redirect() is used for URLs that can be influenced by request data.
  2. parse_url() is used instead of wp_parse_url().
  3. $_SERVER['REQUEST_URI'] and $_SERVER['HTTP_ACCEPT'] are used without sanitization.
  4. URLs are not consistently escaped.

Screenshots, screen recording, code snippet

If possible, please provide a screenshot, a screen recording or a code snippet which demonstrates the bug.

Code snippets showing current usage in RewriteHandler.php:

  • wp_redirect() with redirect URLs based on $_SERVER['REQUEST_URI']
  • parse_url($request_uri, PHP_URL_PATH) and parse_url($request_uri, PHP_URL_QUERY)
  • $_SERVER['REQUEST_URI'] ?? '' and $_SERVER['HTTP_ACCEPT'] ?? '' without sanitization

Technical info

  • If relevant, which editor is affected (or editors):
  • Block Editor
  • Gutenberg Editor
  • Elementor Editor
  • Classic Editor
  • Other:
  • Which browser is affected (or browsers):
  • Chrome
  • Firefox
  • Safari
  • Other:

Used versions

  • Device you are using:
  • Operating system:
  • PHP version:
  • WordPress version:
  • WordPress Theme:
  • Plugin version:
  • Relevant plugins in case of a bug:

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions