From d0a70f1a03130b98a7fa65b82fae2e63c073cd75 Mon Sep 17 00:00:00 2001 From: Brian Krane Date: Fri, 19 Jun 2026 08:18:33 -0400 Subject: [PATCH] Fix fatal in admin password-reset when profile sanitizes to empty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `profile` REST arg registered `sanitize_title` directly as its sanitize_callback. WordPress invokes sanitize callbacks as `call_user_func( $cb, $value, $request, $key )`, so the request object landed in sanitize_title's `$fallback_title` parameter. When the input sanitizes to an empty string — as it does for the common `profile: ""` payload — sanitize_title returns the fallback, handing back the WP_REST_Request object. The subsequent `(string)` cast in send_reset() then fataled with "Object of class WP_REST_Request could not be converted to string", surfacing as a 500. Wrap the sanitizer in a closure so only the value reaches sanitize_title. Co-Authored-By: Claude Opus 4.8 (1M context) --- src/WorkOS/Auth/PasswordResetAdmin/RestApi.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/WorkOS/Auth/PasswordResetAdmin/RestApi.php b/src/WorkOS/Auth/PasswordResetAdmin/RestApi.php index d4c2484..c9e17e4 100644 --- a/src/WorkOS/Auth/PasswordResetAdmin/RestApi.php +++ b/src/WorkOS/Auth/PasswordResetAdmin/RestApi.php @@ -111,7 +111,7 @@ public function register_routes(): void { 'args' => [ 'id' => [ 'sanitize_callback' => 'absint' ], 'redirect_url' => [ 'sanitize_callback' => 'sanitize_text_field' ], - 'profile' => [ 'sanitize_callback' => 'sanitize_title' ], + 'profile' => [ 'sanitize_callback' => static fn( $value ) => sanitize_title( (string) $value ) ], ], ] );