Changeset 61829

Timestamp:

03/04/2026 08:25:42 PM (9 days ago)

Author:

jorgefilipecosta

Message:

Options: Mask connector API keys on All Options screen.

Connector API keys were visible in plain text on wp-admin/options.php
because it queries the database directly, bypassing the get_option()
filter that normally masks these values.
This adds masking for options matching the connectors_*_api_key pattern
using the existing _wp_connectors_mask_api_key() function, and disables
editing from this screen.

Props jorgefilipecosta, gziolo, ocean90.
Fixes #64793.

File:

• trunk/src/wp-admin/options.php (modified) (1 diff)

trunk/src/wp-admin/options.php

@@ -424 +424 @@
             $disabled = true;
         }
+    } elseif ( str_starts_with( $option->option_name, 'connectors_' )
+        && str_ends_with( $option->option_name, '_api_key' )
+    ) {
+        // Mask connector API keys and prevent updates from this screen.
+        $value    = _wp_connectors_mask_api_key( $option->option_value );
+        $disabled = true;
     } else {
         $value               = $option->option_value;