REST API: Prevent inaccessible attachments from being embedded in posts.

JJJ · JJJ · commit 3e03a8e8d1a3 · 2026-03-12T23:26:01.000Z
When an attachment is used by multiple posts, it could be included in `_embed` for a published post even if its `post_parent` is a draft. This commit avoids embedding attachments that are not viewable in this context. Props bor0. Fixes #64183. Built from https://develop.svn.wordpress.org/trunk@61996 git-svn-id: http://core.svn.wordpress.org/trunk@61278 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -2294,7 +2294,7 @@ protected function prepare_links( $post ) {
 
 		// If we have a featured media, add that.
 		$featured_media = get_post_thumbnail_id( $post->ID );
-		if ( $featured_media ) {
+		if ( $featured_media && ( 'publish' === get_post_status( $featured_media ) || current_user_can( 'read_post', $featured_media ) ) ) {
 			$image_url = rest_url( rest_get_route_for_post( $featured_media ) );
 
 			$links['https://api.w.org/featuredmedia'] = array(
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-beta5-61995';
+$wp_version = '7.0-beta5-61996';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`*`
`17`	`17`	`* @global string $wp_version`
`18`	`18`	`*/`
`19`		`-$wp_version = '7.0-beta5-61995';`
	`19`	`+$wp_version = '7.0-beta5-61996';`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.`