[wp-trac] [WordPress Trac] #63329: Use check_ajax_referer() instead of check_admin_referer() for AJAX requests in media form handling.
WordPress Trac
noreply at wordpress.org
Tue Apr 22 07:07:56 UTC 2025
#63329: Use check_ajax_referer() instead of check_admin_referer() for AJAX requests
in media form handling.
-------------------------------------------------+-------------------------
Reporter: khushipatel15 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version: 6.8
Severity: normal | Keywords: has-patch
Focuses: coding-standards, php-compatibility |
-------------------------------------------------+-------------------------
This patch replaces the use of check_admin_referer( 'media-form' ) with
check_ajax_referer( 'media-form' ) in the relevant media-handling code to
better align with AJAX request security practices in WordPress.
The check_ajax_referer() function is specifically intended for verifying
nonces on AJAX requests and provides a more appropriate response structure
for such scenarios. It also ensures compatibility with how WordPress
handles wp_die() in AJAX contexts, where it returns a -1 response instead
of rendering an HTML error page.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63329>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list