[wp-trac] [WordPress Trac] #63866: Always sanitize the first parameter of wp_verify_nonce
WordPress Trac
noreply at wordpress.org
Sat Aug 23 13:23:04 UTC 2025
#63866: Always sanitize the first parameter of wp_verify_nonce
-------------------------+------------------------------
Reporter: davidperez | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
-------------------------+------------------------------
Comment (by SirLouen):
Replying to [comment:2 rollybueno]:
> Personally, I don't think the `$nonce` param needs sanitizing. There's
no input/output on `wp_verify_nonce()`, no database saving and no actual
output display. It simply uses the `$nonce` value inside `hash_equals`,
which should returns boolean, but we use 1 and 2. There's no possible
security threat in that matter.
A malformed nonce gets direct access to the action hook within
`wp_verify_nonce`. This has probably become a CVE for other plugins at
some point in the past that could coexist with other plugins that don't
sanitize and call to this hook, most likely. Ultimately we could say that
it's their fault for not sanitizing the incoming nonce parameter depending
on the use they make of it…
And similarly to what you have observed, who could care to sanitize the
nonce? I'm not sure either why the core/plugins members should take
responsibility for sanitizing this nonce either. If anyone is going to
play further with the hook, they should do their duty.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63866#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list