From 5eed1c8ea50eb3dfda7605749f267bf9e3234dc3 Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Thu, 9 Apr 2026 15:56:00 +0530
Subject: [PATCH] $_REQUEST['term'] used unsanitized in user search query

User-supplied search term is concatenated directly into the get_users() search argument without
  sanitize_text_field() or wp_unslash().
---
 src/wp-admin/includes/ajax-actions.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 2af08fba70af9..4043e39154072 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -338,11 +338,11 @@ function wp_ajax_autocomplete_user() {
 			'fields'  => 'ID',
 		)
 	) : array() );
-
+	$term = isset( $_REQUEST['term'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['term'] ) ) : '';
 	$users = get_users(
 		array(
 			'blog_id'        => false,
-			'search'         => '*' . $_REQUEST['term'] . '*',
+			'search'         => '*' . $term . '*',
 			'include'        => $include_blog_users,
 			'exclude'        => $exclude_blog_users,
 			'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),