• I found an issue with how REST API errors are returned in the plugin.

    When unauthenticated requests hit the plugin’s endpoints (like /wp-json/advanced-db-cleaner/v1/get-system-information), they return an HTTP 500 status. The response body itself contains a 403 code.

    This happens because the permission callback returns a WP_Error but does not specify the HTTP status in the error data. In WordPress, returning a WP_Error from a permission callback without status data defaults the response status to 500.

    In includes/classes/class-adbc-routes.php, the rest_security_check method returns:
    return new WP_Error( ADBC_Rest::UNAUTHORIZED, __( 'Security check failed! Invalid nonce.', 'advanced-database-cleaner' ) );

    Updating the WP_Error constructor to include the status code in the third parameter fixes this:

    return new WP_Error( 
        ADBC_Rest::UNAUTHORIZED, 
        __( 'Security check failed! Invalid nonce.', 'advanced-database-cleaner' ), 
        [ 'status' => 403 ] 
    );

    This will correctly return an HTTP 403 Forbidden instead of HTTP 500. This prevents false alarms on server security monitors that watch for 500 errors.

    Thanks,
    Austin

Viewing 1 replies (of 1 total)
  • Plugin Author Younes JFR.

    (@symptote)

    Hi Austin,

    Thank you for reporting this. A fix will be provided in the next version.

    I appreciate your cooperation.

    Kind regards,
    Younes

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.