[wp-trac] [WordPress Trac] #50510: Improve security of wp_nonce implementation
WordPress Trac
noreply at wordpress.org
Tue Feb 18 11:45:58 UTC 2025
#50510: Improve security of wp_nonce implementation
-------------------------------+----------------------
Reporter: chaoix | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: wontfix
Keywords: reporter-feedback | Focuses:
-------------------------------+----------------------
Changes (by johnbillion):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Closing this off as there's been no clear information provided about the
weakness in the current approach. The points in my comment above still
stand.
Also a reminder that a nonce should never be used on its own for
authentication, it's a CSRF protection that verifies intent and should
always be accompanied by a user capability check.
Thanks!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50510#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list