[wp-trac] [WordPress Trac] #63866: Always sanitize the first parameter of wp_verify_nonce
WordPress Trac
noreply at wordpress.org
Sat Aug 23 09:11:55 UTC 2025
#63866: Always sanitize the first parameter of wp_verify_nonce
-------------------------+-----------------------------
Reporter: davidperez | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
We ask developers to sanitize and unslash the first parameter of
wp_verify_nonce.
Wouldn't it be easier if that piece of repetitive code were not necessary?
In the Plugins Team, we often detect that developers forget to do this.
I’m also thinking about the wider community. Many developers may be using
wp_verify_nonce incorrectly, without sanitizing it. By handling this
automatically, we could prevent security leaks and encourage cleaner code.
This is the correct way to use it right now:
{{{#!php
<?php
<?php
wp_verify_nonce( sanitize_text_field( wp_unslash(
$_POST['plugin_slug_nonce_field'] ) ), 'plugin_slug_action_nonce' ) )
}}}
And this is the ideal way, with sanitization handled inside the function:
{{{#!php
<?php
<?php
wp_verify_nonce( $_POST['plugin_slug_nonce_field'],
'plugin_slug_action_nonce' ) )
}}}
Does this make it cleaner and more straightforward?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63866>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list