ACF_Rest_Api::initialize() does not return $response on rest_pre_dispatch filter

[epiphaneSpecter]

Describe the bug
ACF_Rest_Api::initialize() in includes/rest-api/class-acf-rest-api.php (lines 35-52) is registered as a rest_pre_dispatch filter callback but does not return the $response parameter. Both code paths return null implicitly, which overwrites any response (including WP_Error) set by other plugins earlier in the filter chain.

This is a security concern: any plugin using rest_pre_dispatch for authentication can have its error response silently discarded, allowing unauthorized API access.

To Reproduce
Steps to reproduce the behavior:

1. Register a rest_pre_dispatch filter at priority ≤10 that returns a WP_Error to block unauthorized requests
2. ACF's initialize() also runs at priority 10 via add_filter( 'rest_pre_dispatch', array( $this, 'initialize' ), 10, 3 )
3. When ACF runs after the security plugin, it receives the WP_Error as $response but returns null (no return statement)
4. WordPress checks ! empty( $result ) in WP_REST_Server::serve_request() — since null is empty, the request proceeds as if no error occurred
5. The REST API responds with 200 instead of the expected 401

Expected behavior
initialize() should return $response to preserve the filter chain, as per WordPress filter contract:

public function initialize( $response, $handler, $request ) {
    if ( ! acf_get_setting( 'rest_api_enabled' ) ) {
        return $response;  // currently: bare `return;`
    }

    $this->request = new ACF_Rest_Request();
    $this->request->parse_request( $request );
    $this->register_field();

    if ( acf_get_setting( 'rest_api_embed_links' ) ) {
        $this->embed_links = new ACF_Rest_Embed_Links();
        $this->embed_links->initialize();
    }

    return $response;  // currently: missing
}

Screenshots or Video
N/A — this is a code-level filter issue, not a UI bug.

Code
N/A — no field group export needed. The bug is in ACF core: includes/rest-api/class-acf-rest-api.php lines 35-52.

Version Information:

• WordPress Version: 6.8
• PHP Version: 8.2
• ACF Version: ACF PRO 6.7.0.2
• Browser: N/A (REST API / server-side)

Additional context

• This was previously reported on the ACF Support Forum in April 2024 but remains unresolved :https://support.advancedcustomfields.com/forums/topic/rest_pre_dispatch-not-return-response
• The fix is a 2-line change: replace return; with return $response; on line 37, and add return $response; after line 51
• I'm happy to submit a PR with the fix if the team confirms.