WordPress doesn’t seem to support named parameters in a query string (like ?foo=123&bar=456) unless you explicitly allow them by doing add_filter('query_vars'...). Why is this? What (presumably security-related) benefit is it supposed to offer?
I have an unusual setup with various custom code that pulls in page content from an external (non-WP) source, and I find it a bit tedious to have to tell WordPress about every parameter name I might be using.
The docs say “public query variables … are built up when WP_Query instantiates, but fortunately are passed through a filter ‘query_vars‘”. Why is it fortunate? A malicious visitor could add extra parameters to the URL, but so what?