rest_request_before_callbacks used incorrectly – breaks validation flow

Hi there,
I’d like to report an issue we’ve encountered related to the way your plugin hooks into the REST API request lifecycle.
In your code, you’re using:

add_action( 'rest_request_before_callbacks', array( $this, 'maybe_unset_attributes' ), 10, 3 );

However, rest_request_before_callbacks is technically a filter, not a pure action. This means any function attached to it should return a value, otherwise WordPress uses the returned null as the new $response.

If any validation logic (like parameter validation in schema) returns a WP_Error, and your function returns null, the previously returned error is overwritten with null. As a result, requests that should have been blocked get silently accepted and the validation step is effectively bypassed. This behavior can be observed in the core WordPress WP_REST_Server::respond_to_request() method:

$response = apply_filters( 'rest_request_before_callbacks', $response, $handler, $request );

The proposed fix is to simply change it from being an action handler to a filter and return the $response value (this was done by me locally and fixed the issue).

The page I need help with: [log in to see the link]