I think this is nothing to worry about.
The redirect target is sanitized and validated a lot. To be honest I think I haven’t seen any part of the WordPress code where so many checks happen for the most obscure attack vectors.
Finally when you cast an array to a string Array
is returned which is what you’ve seen.
Arrays are always converted to the string “Array”;
This happens in _deep_replace
.
So my personal opinion is this should be fine. Let’s see what other people say.