From c9661dcfb854f520b6fcb3ca0ce1047d998efe8d Mon Sep 17 00:00:00 2001 From: jorgefilipecosta Date: Wed, 4 Mar 2026 20:26:43 +0000 Subject: [PATCH] Options: Mask connector API keys on All Options screen. Connector API keys were visible in plain text on `wp-admin/options.php` because it queries the database directly, bypassing the `get_option()` filter that normally masks these values. This adds masking for options matching the `connectors_*_api_key` pattern using the existing `_wp_connectors_mask_api_key()` function, and disables editing from this screen. Props jorgefilipecosta, gziolo, ocean90. Fixes #64793. Built from https://develop.svn.wordpress.org/trunk@61829 git-svn-id: http://core.svn.wordpress.org/trunk@61116 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/options.php | 6 ++++++ wp-includes/version.php | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/wp-admin/options.php b/wp-admin/options.php index 1794086a80..b7fa72f921 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -423,6 +423,12 @@ foreach ( (array) $options as $option ) : $value = 'SERIALIZED DATA'; $disabled = true; } + } elseif ( str_starts_with( $option->option_name, 'connectors_' ) + && str_ends_with( $option->option_name, '_api_key' ) + ) { + // Mask connector API keys and prevent updates from this screen. + $value = _wp_connectors_mask_api_key( $option->option_value ); + $disabled = true; } else { $value = $option->option_value; $options_to_update[] = $option->option_name; diff --git a/wp-includes/version.php b/wp-includes/version.php index 6c09738119..5e85d49d93 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '7.0-beta2-61828'; +$wp_version = '7.0-beta2-61829'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.