[wp-trac] [WordPress Trac] #63866: Always sanitize the first parameter of wp_verify_nonce
WordPress Trac
noreply at wordpress.org
Sat Aug 23 10:29:13 UTC 2025
#63866: Always sanitize the first parameter of wp_verify_nonce
-------------------------+------------------------------
Reporter: davidperez | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
-------------------------+------------------------------
Changes (by rollybueno):
* keywords: => 2nd-opinion
Comment:
Personally, I don't think the `$nonce` param needs sanitizing. There's no
input/output on `wp_verify_nonce()`, no database saving and no actual
output display. It simply uses the `$nonce` value inside `hash_equals`,
which should returns boolean, but we use 1 and 2. There's no possible
security threat in that matter.
However, if this is what the Plugins Team prefers on the submission
guidelines, then we can add it after the string type casting.
You can see the function here:
https://core.trac.wordpress.org/browser/tags/6.8.2/src/wp-
includes/pluggable.php#L2369
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63866#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list