[wp-trac] [WordPress Trac] #63371: nonce issue when using WordPress mobile app in parallel with web
WordPress Trac
noreply at wordpress.org
Wed Apr 30 06:35:58 UTC 2025
#63371: nonce issue when using WordPress mobile app in parallel with web
--------------------------+-----------------------------
Reporter: oferlaor | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.8
Severity: major | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
Steps to reproduce:
1. Login as admin to WP on a regular browser
2. Login into the same WP site using the WordPress mobile app (I am using
iOS)
3. Upload some piece of media to the site through the mobile app (i.e.,
authenticate and actually use the mobile app for something)
4. Go back to the WP admin area on the regular browser, for example open
list of posts.
Expected result: I get the list of posts
Actual result: I get kicked into my profile page.
In the console, I can see multiple 403 errors. The Error is:
rest_cookie_invalid_nonce. Meaning, there’s a mismatch between the nonce
we got in the mobile app and the desktop. At this point, WP should be
creating a new nonce and continuing normally, but it seems that this
functionality is broken in 6.8.
Things I tested:
1. Disabled caching plugins + cloudflare
2. If I downgrade the site from 6.8 to 6.7.2, it resolves the problem
(even with caching plugin + cloudflare)
Conclusion: 6.8 nonce refresh might have a new bug in this flow. For now,
I’ve reverted to 6.7.2.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63371>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list