Describe the bug
ACF_Rest_Api::initialize() in includes/rest-api/class-acf-rest-api.php (lines 35-52) is registered as a rest_pre_dispatch filter callback but does not return the $response parameter. Both code paths return null implicitly, which overwrites any response (including WP_Error) set by other plugins earlier in the filter chain.
This is a security concern: any plugin using rest_pre_dispatch for authentication can have its error response silently discarded, allowing unauthorized API access.
To Reproduce
Steps to reproduce the behavior:
- Register a
rest_pre_dispatch filter at priority ≤10 that returns a WP_Error to block unauthorized requests
- ACF's
initialize() also runs at priority 10 via add_filter( 'rest_pre_dispatch', array( $this, 'initialize' ), 10, 3 )
- When ACF runs after the security plugin, it receives the
WP_Error as $response but returns null (no return statement)
- WordPress checks
! empty( $result ) in WP_REST_Server::serve_request() — since null is empty, the request proceeds as if no error occurred
- The REST API responds with 200 instead of the expected 401
Expected behavior
initialize() should return $response to preserve the filter chain, as per WordPress filter contract:
public function initialize( $response, $handler, $request ) {
if ( ! acf_get_setting( 'rest_api_enabled' ) ) {
return $response; // currently: bare `return;`
}
$this->request = new ACF_Rest_Request();
$this->request->parse_request( $request );
$this->register_field();
if ( acf_get_setting( 'rest_api_embed_links' ) ) {
$this->embed_links = new ACF_Rest_Embed_Links();
$this->embed_links->initialize();
}
return $response; // currently: missing
}Screenshots or Video
N/A — this is a code-level filter issue, not a UI bug.
Code
N/A — no field group export needed. The bug is in ACF core: includes/rest-api/class-acf-rest-api.php lines 35-52.
Version Information:
- WordPress Version: 6.8
- PHP Version: 8.2
- ACF Version: ACF PRO 6.7.0.2
- Browser: N/A (REST API / server-side)
Additional context
Describe the bug
ACF_Rest_Api::initialize()inincludes/rest-api/class-acf-rest-api.php(lines 35-52) is registered as arest_pre_dispatchfilter callback but does not return the$responseparameter. Both code paths returnnullimplicitly, which overwrites any response (includingWP_Error) set by other plugins earlier in the filter chain.This is a security concern: any plugin using
rest_pre_dispatchfor authentication can have its error response silently discarded, allowing unauthorized API access.To Reproduce
Steps to reproduce the behavior:
rest_pre_dispatchfilter at priority ≤10 that returns aWP_Errorto block unauthorized requestsinitialize()also runs at priority 10 viaadd_filter( 'rest_pre_dispatch', array( $this, 'initialize' ), 10, 3 )WP_Erroras$responsebut returnsnull(no return statement)! empty( $result )inWP_REST_Server::serve_request()— sincenullis empty, the request proceeds as if no error occurredExpected behavior
initialize()should return$responseto preserve the filter chain, as per WordPress filter contract:Screenshots or Video
N/A — this is a code-level filter issue, not a UI bug.
Code
N/A — no field group export needed. The bug is in ACF core: includes/rest-api/class-acf-rest-api.php lines 35-52.
Version Information:
Additional context