[wp-trac] [WordPress Trac] #64769: Backport WP AI Client enhancement to harden security for using `Ability_Function_Resolver`
WordPress Trac
noreply at wordpress.org
Tue Mar 3 14:00:59 UTC 2026
#64769: Backport WP AI Client enhancement to harden security for using
`Ability_Function_Resolver`
--------------------------------------+-----------------------
Reporter: flixos90 | Owner: flixos90
Type: task (blessed) | Status: closed
Priority: normal | Milestone: 7.0
Component: AI | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+-----------------------
Changes (by gziolo):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"61795" 61795]:
{{{
#!CommitTicketReference repository="" revision="61795"
AI: Sync `Ability_Function_Resolver` API enhancement to harden security
Make `WP_AI_Client_Ability_Function_Resolver` non-static and require
specifying the allowed abilities list in the constructor. This hardens
security by ensuring that only explicitly specified abilities can be
executed, preventing potential vulnerabilities such as prompt injection
from triggering arbitrary abilities.
The constructor accepts either `WP_Ability` objects or ability name
strings. If an ability is not in the allowed list, an error response with
code `ability_not_allowed` is returned.
Developed in https://github.com/WordPress/wordpress-develop/pull/11103.
Upstream: https://github.com/WordPress/wp-ai-client/pull/61.
Props felixarntz, gziolo, JasonTheAdams, dkotter, johnbillion.
Fixes #64769.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64769#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list