[wp-trac] [WordPress Trac] #63065: Reject nonce if presented as array
WordPress Trac
noreply at wordpress.org
Thu Mar 6 15:31:26 UTC 2025
#63065: Reject nonce if presented as array
--------------------------+-----------------------------
Reporter: leedxw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.7.2
Severity: normal | Keywords: has-patch
Focuses: |
--------------------------+-----------------------------
An attacker against {{{/wp-comments-post.php}}} is causing the following
warning (suggesting the nonce is not checked to be a string).
{{{
PHP Warning: Array to string conversion in /var/www/html/wp-
includes/pluggable.php on line 2355
}}}
I was able to reproduce this by switching {{{akismet_comment_nonce}}} to
be an array (on a site with akismet installed)
{{{
curl \
-F author=test -F email=test at example.com \
-F comment=test \
-F comment_parent=0 -F comment_post_ID=1 \
-F akismet_comment_nonce[1]=123 -F ak_js_1=123 \
http://localhost/wp-comments-post.php
}}}
Suggested fix is for {{{wp_verify_nonce()}}} to return false if nonce is
an array before any string functions are applied.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63065>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list