[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Wed Apr 19 17:34:10 GMT 2006

Robert Deaton wrote:
>> It's easy to fix. You just need to make sure that all actions take place
>> through POST, not GET, regardless of URL. This wouldn't punish anybody.
> A link with embedded javascript in an e-mail will easily bypass this,
> its not so easy to fix.

This has been brought up many times before.

<form method="post" action="http://example.com/wp-admin/delete-all.php">
   <input type="submit" name="Submit" value="Click Here" />
   for a free iPod!

That said, there are some places we're using GET gratuitously.

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list