WordPress · abhi3315 · Apr 7, 2026 · Apr 7, 2026
diff --git a/src/js/_enqueues/wp/customize/controls.js b/src/js/_enqueues/wp/customize/controls.js
@@ -6574,15 +6574,10 @@
 			 */
 
 			previewer.add( 'previewUrl', params.previewUrl ).setter( function( to ) {
-				var result = null, urlParser, queryParams, parsedAllowedUrl, parsedCandidateUrls = [];
+				var result = null, urlParser, queryParams, parsedAllowedUrl, matchedAllowedPath = '', parsedCandidateUrls = [];
 				urlParser = document.createElement( 'a' );
 				urlParser.href = to;
 
-				// Abort if URL is for admin or (static) files in wp-includes or wp-content.
-				if ( /\/wp-(admin|includes|content)(\/|$)/.test( urlParser.pathname ) ) {
-					return null;
-				}
-
 				// Remove state query params.
 				if ( urlParser.search.length > 1 ) {
 					queryParams = api.utils.parseQueryString( urlParser.search.substr( 1 ) );
@@ -6613,12 +6608,18 @@
 					return ! _.isUndefined( _.find( previewer.allowedUrls, function( allowedUrl ) {
 						parsedAllowedUrl.href = allowedUrl;
 						if ( urlParser.protocol === parsedAllowedUrl.protocol && urlParser.host === parsedAllowedUrl.host && 0 === urlParser.pathname.indexOf( parsedAllowedUrl.pathname.replace( /\/$/, '' ) ) ) {
+							matchedAllowedPath = parsedAllowedUrl.pathname.replace( /\/$/, '' );
 							result = parsedCandidateUrl.href;
 							return true;
 						}
 					} ) );
 				} );
 
+				// Disallow links to admin, includes, and content, unless the matching allowed URL itself contains such a path.
+				if ( result && /\/wp-(admin|includes|content)(\/|$)/.test( urlParser.pathname.substring( matchedAllowedPath.length ) ) ) {
+					return null;
+				}
+
 				return result;
 			});
 

diff --git a/src/js/_enqueues/wp/customize/preview.js b/src/js/_enqueues/wp/customize/preview.js
@@ -281,7 +281,7 @@
 	 * @return {boolean} Is appropriate for changeset link.
 	 */
 	api.isLinkPreviewable = function isLinkPreviewable( element, options ) {
-		var matchesAllowedUrl, parsedAllowedUrl, args, elementHost;
+		var matchesAllowedUrl, matchedAllowedPath = '', parsedAllowedUrl, args, elementHost;
 
 		args = _.extend( {}, { allowAdminAjax: false }, options || {} );
 
@@ -298,7 +298,10 @@
 		parsedAllowedUrl = document.createElement( 'a' );
 		matchesAllowedUrl = ! _.isUndefined( _.find( api.settings.url.allowed, function( allowedUrl ) {
 			parsedAllowedUrl.href = allowedUrl;
-			return parsedAllowedUrl.protocol === element.protocol && parsedAllowedUrl.host.replace( /:(80|443)$/, '' ) === elementHost && 0 === element.pathname.indexOf( parsedAllowedUrl.pathname.replace( /\/$/, '' ) );
+			if ( parsedAllowedUrl.protocol === element.protocol && parsedAllowedUrl.host.replace( /:(80|443)$/, '' ) === elementHost && 0 === element.pathname.indexOf( parsedAllowedUrl.pathname.replace( /\/$/, '' ) ) ) {
+				matchedAllowedPath = parsedAllowedUrl.pathname.replace( /\/$/, '' );
+				return true;
+			}
 		} ) );
 		if ( ! matchesAllowedUrl ) {
 			return false;
@@ -314,8 +317,8 @@
 			return args.allowAdminAjax;
 		}
 
-		// Disallow links to admin, includes, and content.
-		if ( /\/wp-(admin|includes|content)(\/|$)/.test( element.pathname ) ) {
+		// Disallow links to admin, includes, and content, unless the matching allowed URL itself contains such a path.
+		if ( /\/wp-(admin|includes|content)(\/|$)/.test( element.pathname.substring( matchedAllowedPath.length ) ) ) {
 			return false;
 		}