[wp-trac] [WordPress Trac] #63339: WordPress 6.8 REST API returns all sticky posts regardless of per_page setting
WordPress Trac
noreply at wordpress.org
Wed Apr 23 18:24:37 UTC 2025
#63339: WordPress 6.8 REST API returns all sticky posts regardless of per_page
setting
--------------------------+-----------------------------
Reporter: se8820726 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 6.8
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi
If you install two fresh WordPress instances—one with version 6.7.2 and
another with version 6.8—
and then create 10 posts in each, making 4 of them sticky,
and call this API on both:
{{{
/wp-json/wp/v2/posts?per_page=2
}}}
In version 6.7.2, it correctly returns only 2 posts.
However, in version 6.8, it returns all sticky posts and ignores the
per_page parameter.
This means that if I have around 5,000 sticky posts on my site, calling
this API could cause my site to crash.
I can solve this problem by using **sticky=false** in request query
params:
{{{
/wp-json/wp/v2/posts?per_page=2&sticky=false
}}}
However, when sticky=false is not explicitly set in the request, it should
not return all sticky posts—it should still **respect the per_page**
parameter.
I think this is still a bug.
Even if per_page is not provided, it still should not return all sticky
posts—there should be a **default limit** in place.
Others can easily crash my site just by calling this endpoint:
{{{
/wp-json/wp/v2/posts
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63339>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list