Add is_numeric() check and int cast for error status in rest_convert_error_to_response().

nate-allen · nate-allen · commit 6398886bfd69 · 2026-03-24T13:17:42.000-04:00
diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
@@ -3429,7 +3429,10 @@ function rest_convert_error_to_response( $error ) {
 		$error->get_all_error_data(),
 		static function ( $status, $error_data ) {
 			// Note: $error_data may not be an array (e.g. stdClass), so is_array() check is intentional.
-			return is_array( $error_data ) && isset( $error_data['status'] ) ? $error_data['status'] : $status;
+			if ( is_array( $error_data ) && isset( $error_data['status'] ) && is_numeric( $error_data['status'] ) ) {
+				$status = (int) $error_data['status'];
+			}
+			return $status;
 		},
 		500
 	);
diff --git a/tests/phpunit/tests/rest-api/rest-server.php b/tests/phpunit/tests/rest-api/rest-server.php
@@ -605,6 +605,19 @@ public function test_error_to_response_with_stdclass_data() {
 		$this->assertSame( 500, $response->get_status() );
 	}
 
+	/**
+	 * @ticket 64901
+	 */
+	public function test_error_to_response_with_non_numeric_status() {
+		$error = new WP_Error( 'test', 'test', array( 'status' => 'forbidden' ) );
+
+		$response = rest_convert_error_to_response( $error );
+		$this->assertInstanceOf( 'WP_REST_Response', $response );
+
+		// Non-numeric status should be ignored, status should default to 500.
+		$this->assertSame( 500, $response->get_status() );
+	}
+
 	public function test_rest_error() {
 		$data     = array(
 			'code'    => 'wp-api-test-error',
