--- a/wp/wp-includes/class-wp-xmlrpc-server.php Fri Sep 05 18:40:08 2025 +0200
+++ b/wp/wp-includes/class-wp-xmlrpc-server.php Fri Sep 05 18:52:52 2025 +0200
@@ -285,7 +285,11 @@
* @param string $password User's password.
* @return WP_User|false WP_User object if authentication passed, false otherwise.
*/
- public function login( $username, $password ) {
+ public function login(
+ $username,
+ #[\SensitiveParameter]
+ $password
+ ) {
if ( ! $this->is_enabled ) {
$this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site.' ) ) );
return false;
@@ -330,7 +334,11 @@
* @param string $password User's password.
* @return bool Whether authentication passed.
*/
- public function login_pass_ok( $username, $password ) {
+ public function login_pass_ok(
+ $username,
+ #[\SensitiveParameter]
+ $password
+ ) {
return (bool) $this->login( $username, $password );
}
@@ -426,7 +434,7 @@
$meta['id'] = (int) $meta['id'];
$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
- if ( ! $pmeta || $pmeta->post_id != $post_id ) {
+ if ( ! $pmeta || (int) $pmeta->post_id !== $post_id ) {
continue;
}
@@ -735,17 +743,20 @@
*/
do_action( 'xmlrpc_call', 'wp.getUsersBlogs', $args, $this );
- $blogs = (array) get_blogs_of_user( $user->ID );
- $struct = array();
+ $blogs = (array) get_blogs_of_user( $user->ID );
+ $struct = array();
+
$primary_blog_id = 0;
$active_blog = get_active_blog_for_user( $user->ID );
if ( $active_blog ) {
$primary_blog_id = (int) $active_blog->blog_id;
}
+ $current_network_id = get_current_network_id();
+
foreach ( $blogs as $blog ) {
// Don't include blogs that aren't hosted at this site.
- if ( get_current_network_id() != $blog->site_id ) {
+ if ( $blog->site_id !== $current_network_id ) {
continue;
}
@@ -1179,11 +1190,11 @@
// Format page date.
$comment_date_gmt = $this->_convert_date_gmt( $comment->comment_date_gmt, $comment->comment_date );
- if ( '0' == $comment->comment_approved ) {
+ if ( '0' === $comment->comment_approved ) {
$comment_status = 'hold';
} elseif ( 'spam' === $comment->comment_approved ) {
$comment_status = 'spam';
- } elseif ( '1' == $comment->comment_approved ) {
+ } elseif ( '1' === $comment->comment_approved ) {
$comment_status = 'approve';
} else {
$comment_status = $comment->comment_approved;
@@ -1488,7 +1499,7 @@
}
$post_data['post_author'] = absint( $post_data['post_author'] );
- if ( ! empty( $post_data['post_author'] ) && $post_data['post_author'] != $user->ID ) {
+ if ( ! empty( $post_data['post_author'] ) && $post_data['post_author'] !== $user->ID ) {
if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) {
return new IXR_Error( 401, __( 'Sorry, you are not allowed to create posts as this user.' ) );
}
@@ -1513,17 +1524,17 @@
// Do some timestamp voodoo.
if ( ! empty( $post_data['post_date_gmt'] ) ) {
// We know this is supposed to be GMT, so we're going to slap that Z on there by force.
- $dateCreated = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
+ $date_created = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
} elseif ( ! empty( $post_data['post_date'] ) ) {
- $dateCreated = $post_data['post_date']->getIso();
+ $date_created = $post_data['post_date']->getIso();
}
// Default to not flagging the post date to be edited unless it's intentional.
$post_data['edit_date'] = false;
- if ( ! empty( $dateCreated ) ) {
- $post_data['post_date'] = iso8601_to_datetime( $dateCreated );
- $post_data['post_date_gmt'] = iso8601_to_datetime( $dateCreated, 'gmt' );
+ if ( ! empty( $date_created ) ) {
+ $post_data['post_date'] = iso8601_to_datetime( $date_created );
+ $post_data['post_date_gmt'] = iso8601_to_datetime( $date_created, 'gmt' );
// Flag the post date to be edited.
$post_data['edit_date'] = true;
@@ -3504,7 +3515,7 @@
$status = wp_delete_term( $category_id, 'category' );
- if ( true == $status ) {
+ if ( true === $status ) {
/**
* Fires after a category has been successfully deleted via XML-RPC.
*
@@ -3754,7 +3765,7 @@
$status = wp_delete_comment( $comment_id );
- if ( $status ) {
+ if ( true === $status ) {
/**
* Fires after a comment has been successfully deleted via XML-RPC.
*
@@ -3837,9 +3848,10 @@
// Do some timestamp voodoo.
if ( ! empty( $content_struct['date_created_gmt'] ) ) {
// We know this is supposed to be GMT, so we're going to slap that Z on there by force.
- $dateCreated = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
- $comment['comment_date'] = get_date_from_gmt( $dateCreated );
- $comment['comment_date_gmt'] = iso8601_to_datetime( $dateCreated, 'gmt' );
+ $date_created = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
+
+ $comment['comment_date'] = get_date_from_gmt( $date_created );
+ $comment['comment_date_gmt'] = iso8601_to_datetime( $date_created, 'gmt' );
}
if ( isset( $content_struct['content'] ) ) {
@@ -4019,7 +4031,7 @@
}
if ( ! $comment_id ) {
- return new IXR_Error( 403, __( 'Something went wrong.' ) );
+ return new IXR_Error( 403, __( 'An error occurred while processing your comment. Please ensure all fields are filled correctly and try again.' ) );
}
/**
@@ -4326,7 +4338,7 @@
continue;
}
- if ( true == $this->blog_options[ $o_name ]['readonly'] ) {
+ if ( $this->blog_options[ $o_name ]['readonly'] ) {
continue;
}
@@ -4883,7 +4895,7 @@
return $blogs;
}
- if ( $_SERVER['HTTP_HOST'] == $domain && $_SERVER['REQUEST_URI'] == $path ) {
+ if ( $_SERVER['HTTP_HOST'] === $domain && $_SERVER['REQUEST_URI'] === $path ) {
return $blogs;
} else {
foreach ( (array) $blogs as $blog ) {
@@ -5039,7 +5051,7 @@
$posts_list = wp_get_recent_posts( $query );
if ( ! $posts_list ) {
- $this->error = new IXR_Error( 500, __( 'Either there are no posts, or something went wrong.' ) );
+ $this->error = new IXR_Error( 500, __( 'No posts found or an error occurred while retrieving posts.' ) );
return $this->error;
}
@@ -5142,7 +5154,15 @@
$post_date = current_time( 'mysql' );
$post_date_gmt = current_time( 'mysql', 1 );
- $post_data = compact( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_title', 'post_category', 'post_status' );
+ $post_data = compact(
+ 'post_author',
+ 'post_date',
+ 'post_date_gmt',
+ 'post_content',
+ 'post_title',
+ 'post_category',
+ 'post_status'
+ );
$post_id = wp_insert_post( $post_data );
if ( is_wp_error( $post_id ) ) {
@@ -5448,8 +5468,8 @@
$post_author = $user->ID;
- // If an author id was provided then use it instead.
- if ( isset( $content_struct['wp_author_id'] ) && ( $user->ID != $content_struct['wp_author_id'] ) ) {
+ // If an author ID was provided then use it instead.
+ if ( isset( $content_struct['wp_author_id'] ) && ( $user->ID !== (int) $content_struct['wp_author_id'] ) ) {
switch ( $post_type ) {
case 'post':
if ( ! current_user_can( 'edit_others_posts' ) ) {
@@ -5571,16 +5591,16 @@
// Do some timestamp voodoo.
if ( ! empty( $content_struct['date_created_gmt'] ) ) {
// We know this is supposed to be GMT, so we're going to slap that Z on there by force.
- $dateCreated = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
+ $date_created = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
} elseif ( ! empty( $content_struct['dateCreated'] ) ) {
- $dateCreated = $content_struct['dateCreated']->getIso();
+ $date_created = $content_struct['dateCreated']->getIso();
}
$post_date = '';
$post_date_gmt = '';
- if ( ! empty( $dateCreated ) ) {
- $post_date = iso8601_to_datetime( $dateCreated );
- $post_date_gmt = iso8601_to_datetime( $dateCreated, 'gmt' );
+ if ( ! empty( $date_created ) ) {
+ $post_date = iso8601_to_datetime( $date_created );
+ $post_date_gmt = iso8601_to_datetime( $date_created, 'gmt' );
}
$post_category = array();
@@ -5594,7 +5614,26 @@
}
}
- $postdata = compact( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status', 'to_ping', 'post_type', 'post_name', 'post_password', 'post_parent', 'menu_order', 'tags_input', 'page_template' );
+ $postdata = compact(
+ 'post_author',
+ 'post_date',
+ 'post_date_gmt',
+ 'post_content',
+ 'post_title',
+ 'post_category',
+ 'post_status',
+ 'post_excerpt',
+ 'comment_status',
+ 'ping_status',
+ 'to_ping',
+ 'post_type',
+ 'post_name',
+ 'post_password',
+ 'post_parent',
+ 'menu_order',
+ 'tags_input',
+ 'page_template'
+ );
$post_id = get_default_post_to_edit( $post_type, true )->ID;
$postdata['ID'] = $post_id;
@@ -5622,8 +5661,8 @@
}
// Handle enclosures.
- $thisEnclosure = isset( $content_struct['enclosure'] ) ? $content_struct['enclosure'] : null;
- $this->add_enclosure_if_new( $post_id, $thisEnclosure );
+ $enclosure = isset( $content_struct['enclosure'] ) ? $content_struct['enclosure'] : null;
+ $this->add_enclosure_if_new( $post_id, $enclosure );
$this->attach_uploads( $post_id, $post_content );
@@ -5762,7 +5801,7 @@
}
// Thwart attempt to change the post type.
- if ( ! empty( $content_struct['post_type'] ) && ( $content_struct['post_type'] != $postdata['post_type'] ) ) {
+ if ( ! empty( $content_struct['post_type'] ) && ( $content_struct['post_type'] !== $postdata['post_type'] ) ) {
return new IXR_Error( 401, __( 'The post type may not be changed.' ) );
}
@@ -5776,7 +5815,7 @@
$this->escape( $postdata );
- $ID = $postdata['ID'];
+ $post_id = $postdata['ID'];
$post_content = $postdata['post_content'];
$post_title = $postdata['post_title'];
$post_excerpt = $postdata['post_excerpt'];
@@ -5815,10 +5854,10 @@
$post_author = $postdata['post_author'];
- // If an author id was provided then use it instead.
+ // If an author ID was provided then use it instead.
if ( isset( $content_struct['wp_author_id'] ) ) {
// Check permissions if attempting to switch author to or from another user.
- if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) {
+ if ( $user->ID !== (int) $content_struct['wp_author_id'] || $user->ID !== (int) $post_author ) {
switch ( $post_type ) {
case 'post':
if ( ! current_user_can( 'edit_others_posts' ) ) {
@@ -5958,17 +5997,17 @@
// Do some timestamp voodoo.
if ( ! empty( $content_struct['date_created_gmt'] ) ) {
// We know this is supposed to be GMT, so we're going to slap that Z on there by force.
- $dateCreated = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
+ $date_created = rtrim( $content_struct['date_created_gmt']->getIso(), 'Z' ) . 'Z';
} elseif ( ! empty( $content_struct['dateCreated'] ) ) {
- $dateCreated = $content_struct['dateCreated']->getIso();
+ $date_created = $content_struct['dateCreated']->getIso();
}
// Default to not flagging the post date to be edited unless it's intentional.
$edit_date = false;
- if ( ! empty( $dateCreated ) ) {
- $post_date = iso8601_to_datetime( $dateCreated );
- $post_date_gmt = iso8601_to_datetime( $dateCreated, 'gmt' );
+ if ( ! empty( $date_created ) ) {
+ $post_date = iso8601_to_datetime( $date_created );
+ $post_date_gmt = iso8601_to_datetime( $date_created, 'gmt' );
// Flag the post date to be edited.
$edit_date = true;
@@ -5977,9 +6016,32 @@
$post_date_gmt = $postdata['post_date_gmt'];
}
+ $newpost = array(
+ 'ID' => $post_id,
+ );
+
+ $newpost += compact(
+ 'post_content',
+ 'post_title',
+ 'post_category',
+ 'post_status',
+ 'post_excerpt',
+ 'comment_status',
+ 'ping_status',
+ 'edit_date',
+ 'post_date',
+ 'post_date_gmt',
+ 'to_ping',
+ 'post_name',
+ 'post_password',
+ 'post_parent',
+ 'menu_order',
+ 'post_author',
+ 'tags_input',
+ 'page_template'
+ );
+
// We've got all the data -- post it.
- $newpost = compact( 'ID', 'post_content', 'post_title', 'post_category', 'post_status', 'post_excerpt', 'comment_status', 'ping_status', 'edit_date', 'post_date', 'post_date_gmt', 'to_ping', 'post_name', 'post_password', 'post_parent', 'menu_order', 'post_author', 'tags_input', 'page_template' );
-
$result = wp_update_post( $newpost, true );
if ( is_wp_error( $result ) ) {
return new IXR_Error( 500, $result->get_error_message() );
@@ -6018,10 +6080,10 @@
}
// Handle enclosures.
- $thisEnclosure = isset( $content_struct['enclosure'] ) ? $content_struct['enclosure'] : null;
- $this->add_enclosure_if_new( $post_id, $thisEnclosure );
-
- $this->attach_uploads( $ID, $post_content );
+ $enclosure = isset( $content_struct['enclosure'] ) ? $content_struct['enclosure'] : null;
+ $this->add_enclosure_if_new( $post_id, $enclosure );
+
+ $this->attach_uploads( $post_id, $post_content );
// Handle post formats if assigned, validation is handled earlier in this function.
if ( isset( $content_struct['wp_post_format'] ) ) {
@@ -6086,9 +6148,9 @@
$post_modified_gmt = $this->_convert_date_gmt( $postdata['post_modified_gmt'], $postdata['post_modified'] );
$categories = array();
- $catids = wp_get_post_categories( $post_id );
- foreach ( $catids as $catid ) {
- $categories[] = get_cat_name( $catid );
+ $cat_ids = wp_get_post_categories( $post_id );
+ foreach ( $cat_ids as $cat_id ) {
+ $categories[] = get_cat_name( $cat_id );
}
$tagnames = array();
@@ -6238,9 +6300,9 @@
$post_modified_gmt = $this->_convert_date_gmt( $entry['post_modified_gmt'], $entry['post_modified'] );
$categories = array();
- $catids = wp_get_post_categories( $entry['ID'] );
- foreach ( $catids as $catid ) {
- $categories[] = get_cat_name( $catid );
+ $cat_ids = wp_get_post_categories( $entry['ID'] );
+ foreach ( $cat_ids as $cat_id ) {
+ $categories[] = get_cat_name( $cat_id );
}
$tagnames = array();
@@ -6433,9 +6495,10 @@
$upload = wp_upload_bits( $name, null, $bits );
if ( ! empty( $upload['error'] ) ) {
/* translators: 1: File name, 2: Error message. */
- $errorString = sprintf( __( 'Could not write file %1$s (%2$s).' ), $name, $upload['error'] );
- return new IXR_Error( 500, $errorString );
- }
+ $error_string = sprintf( __( 'Could not write file %1$s (%2$s).' ), $name, $upload['error'] );
+ return new IXR_Error( 500, $error_string );
+ }
+
// Construct the attachment array.
$post_id = 0;
if ( ! empty( $data['post_id'] ) ) {
@@ -6445,6 +6508,7 @@
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
}
}
+
$attachment = array(
'post_title' => $name,
'post_content' => '',
@@ -6455,20 +6519,20 @@
);
// Save the data.
- $id = wp_insert_attachment( $attachment, $upload['file'], $post_id );
- wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $upload['file'] ) );
+ $attachment_id = wp_insert_attachment( $attachment, $upload['file'], $post_id );
+ wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $upload['file'] ) );
/**
* Fires after a new attachment has been added via the XML-RPC MovableType API.
*
* @since 3.4.0
*
- * @param int $id ID of the new attachment.
- * @param array $args An array of arguments to add the attachment.
+ * @param int $attachment_id ID of the new attachment.
+ * @param array $args An array of arguments to add the attachment.
*/
- do_action( 'xmlrpc_call_success_mw_newMediaObject', $id, $args ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.NotLowercase
-
- $struct = $this->_prepare_media_item( get_post( $id ) );
+ do_action( 'xmlrpc_call_success_mw_newMediaObject', $attachment_id, $args ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.NotLowercase
+
+ $struct = $this->_prepare_media_item( get_post( $attachment_id ) );
// Deprecated values.
$struct['id'] = $struct['attachment_id'];
@@ -6520,7 +6584,7 @@
$posts_list = wp_get_recent_posts( $query );
if ( ! $posts_list ) {
- $this->error = new IXR_Error( 500, __( 'Either there are no posts, or something went wrong.' ) );
+ $this->error = new IXR_Error( 500, __( 'No posts found or an error occurred while retrieving posts.' ) );
return $this->error;
}
@@ -6638,16 +6702,16 @@
do_action( 'xmlrpc_call', 'mt.getPostCategories', $args, $this );
$categories = array();
- $catids = wp_get_post_categories( (int) $post_id );
+ $cat_ids = wp_get_post_categories( (int) $post_id );
// First listed category will be the primary category.
- $isPrimary = true;
- foreach ( $catids as $catid ) {
+ $is_primary = true;
+ foreach ( $cat_ids as $cat_id ) {
$categories[] = array(
- 'categoryName' => get_cat_name( $catid ),
- 'categoryId' => (string) $catid,
- 'isPrimary' => $isPrimary,
+ 'categoryName' => get_cat_name( $cat_id ),
+ 'categoryId' => (string) $cat_id,
+ 'isPrimary' => $is_primary,
);
- $isPrimary = false;
+ $is_primary = false;
}
return $categories;
@@ -6692,12 +6756,12 @@
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
}
- $catids = array();
+ $cat_ids = array();
foreach ( $categories as $cat ) {
- $catids[] = $cat['categoryId'];
- }
-
- wp_set_post_categories( $post_id, $catids );
+ $cat_ids[] = $cat['categoryId'];
+ }
+
+ wp_set_post_categories( $post_id, $cat_ids );
return true;
}
@@ -6885,6 +6949,7 @@
*/
$urltest = parse_url( $pagelinkedto );
$post_id = url_to_postid( $pagelinkedto );
+
if ( $post_id ) {
// $way
} elseif ( isset( $urltest['path'] ) && preg_match( '#p/[0-9]{1,}#', $urltest['path'], $match ) ) {
@@ -6917,15 +6982,15 @@
// TODO: Attempt to extract a post ID from the given URL.
return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either does not exist, or it is not a pingback-enabled resource.' ) );
}
+
$post_id = (int) $post_id;
-
- $post = get_post( $post_id );
+ $post = get_post( $post_id );
if ( ! $post ) { // Post not found.
return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either does not exist, or it is not a pingback-enabled resource.' ) );
}
- if ( url_to_postid( $pagelinkedfrom ) == $post_id ) {
+ if ( url_to_postid( $pagelinkedfrom ) === $post_id ) {
return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
}