[wp-trac] [WordPress Trac] #63329: Use check_ajax_referer() instead of check_admin_referer() for AJAX requests in media form handling.
WordPress Trac
noreply at wordpress.org
Tue Apr 22 07:58:12 UTC 2025
#63329: Use check_ajax_referer() instead of check_admin_referer() for AJAX requests
in media form handling.
-------------------------+-------------------------------------------------
Reporter: | Owner: (none)
khushipatel15 |
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.8
Severity: normal | Resolution:
Keywords: has-patch | Focuses: coding-standards, php-
| compatibility
-------------------------+-------------------------------------------------
Comment (by narenin):
Hi @khushipatel15
Thanks for the patch.
But **check_admin_referer()** also ensures intent by verifying that a user
was referred from another admin page with correct security nonce, so in
this case we are also checking the nonce.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63329#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list