From d1091c65010253a06cb8062b8313aed0aded5104 Mon Sep 17 00:00:00 2001
From: Asmitha B <youremail@example.com>
Date: Mon, 12 Jan 2026 22:16:04 +0530
Subject: [PATCH] Harden REST request parameter sanitization

---
 .../rest-api/class-wp-rest-request.php        | 27 ++++++++++++++-----
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/wp-includes/rest-api/class-wp-rest-request.php b/src/wp-includes/rest-api/class-wp-rest-request.php
index 7148d931f7149..ea9ebc30e1fa6 100644
--- a/src/wp-includes/rest-api/class-wp-rest-request.php
+++ b/src/wp-includes/rest-api/class-wp-rest-request.php
@@ -847,14 +847,27 @@ public function sanitize_params() {
 				}
 
 				/** @var mixed|WP_Error $sanitized_value */
-				$sanitized_value = call_user_func( $param_args['sanitize_callback'], $value, $this, $key );
+				/** @var mixed|WP_Error $sanitized_value */
+if ( is_array( $value ) ) {
+    $sanitized_value = array_map(
+        function ( $item ) use ( $param_args, $key ) {
+            return call_user_func( $param_args['sanitize_callback'], $item, $this, $key );
+        },
+        $value
+    );
+} elseif ( is_object( $value ) || is_bool( $value ) || is_null( $value ) ) {
+    $sanitized_value = '';
+} else {
+    $sanitized_value = call_user_func( $param_args['sanitize_callback'], $value, $this, $key );
+}
+
+if ( is_wp_error( $sanitized_value ) ) {
+    $invalid_params[ $key ]  = implode( ' ', $sanitized_value->get_error_messages() );
+    $invalid_details[ $key ] = rest_convert_error_to_response( $sanitized_value )->get_data();
+} else {
+    $this->params[ $type ][ $key ] = $sanitized_value;
+}
 
-				if ( is_wp_error( $sanitized_value ) ) {
-					$invalid_params[ $key ]  = implode( ' ', $sanitized_value->get_error_messages() );
-					$invalid_details[ $key ] = rest_convert_error_to_response( $sanitized_value )->get_data();
-				} else {
-					$this->params[ $type ][ $key ] = $sanitized_value;
-				}
 			}
 		}