Does WP ignore URI segments of parent categories?

Hello,

From what I see, if we have a URL like:

https://www.domain.com/post-type-taxonomy/parent-term/child-term/

In order to properly display the requested page, WordPress only takes into consideration the last URI segment, in this case,

child-term

So we can access:

https://www.domain.com/post-type-category/whatever-i-type-here-does-not-matter/child-category/

or even

https://www.domain.com/post-type-taxonomy/child-category/

And get same result.

My hunch is that this happens because WP only needs that URI segment to identify the category in this case, so it doesn’t care about anything else. I also think that if there would be another parent category having a child category with same name, then maybe things would work different and WordPress would need the parent category URI segment so it can identify which of the child category to render.

Is this the expected behavior?

The reason I am asking is because we’re running a security scanner against one of our WordPress installs, and because it can basically insert whatever it wants in the URI segment that WP ignores, it reports a lot of security issues, blind sql injection vulnerabilities to be more precise, which in this case seem to be false positives.

Is there any way make WordPress return a 404 errors for the above cases?

Thank you.

• This topic was modified 3 years ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic