[wp-trac] [WordPress Trac] #65054: $_GET['pagenow'] and $_GET['widget'] unsanitized in dashboard AJAX handler

WordPress Trac noreply at wordpress.org
Mon Apr 20 05:15:40 UTC 2026 

#65054: $_GET['pagenow'] and $_GET['widget'] unsanitized in dashboard AJAX handler
-------------------------------------------------+-------------------------
 Reporter:  rajeshcp                             |       Owner:  rajeshcp
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Security                             |     Version:  trunk
 Severity:  major                                |  Resolution:
 Keywords:  has-patch needs-testing has-test-    |     Focuses:
  info                                           |
-------------------------------------------------+-------------------------
Changes (by liaison):

 * keywords:  has-patch needs-testing => has-patch needs-testing has-test-
               info


Comment:

 Test Report: Input Sanitization for pagenow in AJAX Actions
 Summary
 Verification of the sanitization vulnerability in
 wp_ajax_dashboard_widgets() where the pagenow parameter was being used
 without proper filtering. This report demonstrates the effectiveness of
 applying sanitize_key() to prevent variable pollution.

 Environment
 WordPress Version: 7.0-beta1-61709-src

 PHP Version: 7.4 / 8.x

 Area: AJAX / Dashboard

 Reproduction Steps
 Using the Browser Developer Tools (Console), a "polluted" request was sent
 to the dashboard-widgets action containing uppercase letters, special
 characters, and spaces.

 Payload:

 JavaScript

 {{{
 jQuery.get( ajaxurl, {
     action: 'dashboard-widgets',
     pagenow: 'DashBoard_!!!_For_Test',
     widget: 'dashboard_primary'
 });

 }}}

 [[Image(65054-inject-DevTool.png)]]

 Code Implementation (Testing Patch)
 The following debug code was inserted into wp-admin/includes/ajax-
 actions.php to compare the raw input against the sanitized output:

 PHP
 {{{#!php
 <?php
 function wp_ajax_dashboard_widgets() {
     require_once ABSPATH . 'wp-admin/includes/dashboard.php';

     $raw_pagenow = $_GET['pagenow'];
     $pagenow = isset( $_GET['pagenow'] ) ? sanitize_key( $_GET['pagenow']
 ) : '';

     error_log( "--- Audit Start ---" );
     error_log( "Raw Input:    [" . $raw_pagenow . "]" );
     error_log( "Sanitized:    [" . $pagenow . "]" );
     error_log( "--- Audit End ---" );

     // Subsequent logic...
 }

 }}}


 Test Results (debug.log)
 The logs confirm that while the raw input contained unsafe characters,
 sanitize_key() correctly normalized the string according to WordPress
 standards.

 Plaintext

 {{{
 [20-Apr-2026 05:01:41 UTC] --- Audit Start ---
 [20-Apr-2026 05:01:41 UTC] Raw Input:    [DashBoard_!!!_For_Test]
 [20-Apr-2026 05:01:41 UTC] Sanitized:    [dashboard__for_test]
 [20-Apr-2026 05:01:41 UTC] --- Audit End ---

 }}}

 Discussion & Conclusion
 Variable Consistency: The sanitized value dashboard__for_test removes the
 risk of inconsistent logic handling caused by case sensitivity (e.g.,
 DashBoard vs dashboard).

 Security Posture: Removing special characters (!!!) prevents the variable
 from being used as a vector for path traversal or other injection attacks
 if the variable is passed to other core functions in the future.

 Recommendation: The patch to include sanitize_key() should be merged to
 align this function with the defensive coding standards seen in other AJAX
 handlers like wp_ajax_meta_box_order().

 The same on $widget

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65054#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list