Fix access to block pages when adding query strings to the URL

[remyperona]

Improve path and slug matching to prevent access to blocked pages using a query string.

The change still allow access to pages that have expected query string, like edit.php?post_type=page.

The change was validated by blocking access to the comments page, for an editor role:

• before the change, the page was still accessible when adding a query string to the URL
• after the change, the page is correctly blocked

[Copilot]

Pull request overview

Fixes a bypass in _mw_adminimize_check_page_access() where blocked admin pages could still be reached by appending a query string to the URL (e.g., edit.php?foo=bar). The function previously only ran the substring path check when no query string was present, and otherwise required an exact $slug === $url match — so any extra query parameter on a no-query slug skipped both checks. The new logic always compares the slug's path against the request path and, when the slug itself has query parameters (e.g., edit.php?post_type=page), additionally verifies those parameters are present in the current request.

Changes:

• Parse the configured slug with wp_parse_url() to separate its path and query components.
• Always perform the substring path match; if the slug has query params, require all of them to match the current request's params.
• Register the load- action using $uri['path'] (which is already basenamed via $url) instead of the two separate path/basename branches.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.