[wp-trac] [WordPress Trac] #65054: $_GET['pagenow'] and $_GET['widget'] unsanitized in dashboard AJAX handler
WordPress Trac
noreply at wordpress.org
Mon Apr 20 05:18:52 UTC 2026
#65054: $_GET['pagenow'] and $_GET['widget'] unsanitized in dashboard AJAX handler
-------------------------------------------------+-------------------------
Reporter: rajeshcp | Owner: rajeshcp
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version: trunk
Severity: major | Resolution:
Keywords: has-patch needs-testing has-test- | Focuses:
info |
-------------------------------------------------+-------------------------
Comment (by liaison):
Note on Defensive Coding:
While current logic employs validation via strict comparisons, applying
sanitize_key() to pagenow and widget is a necessary Defense in Depth
measure.
Unsanitized input creates several long-term risks:
Downstream Vulnerabilities: Prevents potential Reflected XSS if these
variables are later used in logging, dynamic hooks, or UI output by core
or third-party plugins.
Cache Pollution: Normalizing these inputs prevents "cache bloating" in
environments using Object Caching (Redis/Memcached), where randomized
strings could be used as keys to exhaust memory.
Attack Surface Reduction: Early sanitization ensures that the variables
are "normalized" (lowercase and alphanumeric) before they enter the
internal logic, mitigating risks like Path Traversal in future refactors.
This hardening aligns the function with the security standards seen in
other AJAX handlers like wp_ajax_meta_box_order().
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65054#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list