[wp-trac] [WordPress Trac] #64789: Security audit for API key storage on the Connectors screen

WordPress Trac noreply at wordpress.org
Wed Mar 4 10:21:07 UTC 2026 

#64789: Security audit for API key storage on the Connectors screen
--------------------------+--------------------
 Reporter:  gziolo        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  7.0
Component:  Security      |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+--------------------
 The Connectors screen introduced in #64730 stores AI provider API keys
 using the WordPress options API. Several security concerns were discussed
 during the review that need to be verified.

 === Plaintext storage in the database

 API keys for AI providers are currently stored as plaintext option values.
 These are sensitive credentials that, in the perfect world, should be
 encrypted. WordPress ships with libsodium (via `sodium_compat`), which
 could be used for authenticated encryption.

 === Masking bypass via `/wp-admin/options.php`

 The current masking approach uses a filter on `option_{name}` to redact
 the key value in REST responses and on the Connectors page. However, the
 key is still visible in plaintext when visiting the hidden `options.php`
 screen in WP Admin. The masking filter is also temporarily removed when
 passing the key to the AI provider class for authentication, which may
 create additional windows of exposure.

 === Key portability concerns

 As noted in review, just because a user is authorized to connect a
 provider on a site doesn't mean the key should be extractable. Encryption
 at rest (where only the site itself can decrypt for authenticated API
 calls) would mitigate this.

 == Proposed actions

 1. Evaluate using Sodium-based encryption for API key values stored in the
 options table.
 2. Ensure masking is applied consistently across all surfaces (REST API,
 options.php, wp_options database queries) or that encryption makes masking
 less critical.
 3. Document the threat model: who are we protecting against (other admins,
 database access, plugins reading options)?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64789>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list