If you’re having issues with the search option, there might be a conflict on your website.
You can refer to the article below to begin troubleshooting the issue. In summary, disable all third-party plugins and switch back to the “Twenty Twenty-Five” theme to see if the issue persists. If not, enable your plugins one by one to identify the cause.
Here are my findings in case anyone is having issues with this…
I’ve been investigating this issue and found the root cause. It’s a bug, not a site configuration issue.
The Author search field in the Advanced Post Creation settings page calls /wp-json/wp/v2/users?search=<query> using a plain fetch() request (in admin-components.min.js). The problem is it doesn’t include the X-WP-Nonce header that WordPress requires for authenticated REST API requests.
Here’s what happens:
The browser sends the WordPress login cookie with the request automatically
WordPress’s rest_cookie_check_errors sees a cookie but no matching nonce, and treats this as a potential CSRF attack
WordPress deliberately downgrades the request to unauthenticated as a security measure
An unauthenticated user doesn’t have the list_users capability, so the endpoint returns 401 rest_forbidden
The fix would be to use wp.apiFetch() instead of raw fetch() for this request — wp.apiFetch() automatically includes the nonce header. The APC add-on already creates a nonce for its own AJAX calls (gform_advancedpostcreation_author_search), but the Author dropdown is rendered by a shared GF core React component that bypasses this.
I confirmed this by running the same REST API query server-side as an authenticated admin — it returns results successfully. The endpoint itself works fine; it’s just the browser request that’s missing authentication.
Tested on GF 2.9.30 / APC 1.6.1. Reproduced on multiple sites.
