[wp-trac] [WordPress Trac] #64489: Admin Ajax: Improve action input sanitization with sanitize_key()
WordPress Trac
noreply at wordpress.org
Fri Jan 9 16:47:19 UTC 2026
#64489: Admin Ajax: Improve action input sanitization with sanitize_key()
--------------------------+-----------------------------
Reporter: mohammadzaid | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
== Issue ==
`admin-ajax.php` handles {{{$_REQUEST['action']}}} without full WordPress
sanitization chain.
== Fix Applied ==
1. Added {{{isset()}}} + {{{is_scalar()}}} checks
2. Applied {{{sanitize_key( wp_unslash( $_REQUEST['action'] ) )}}}
3. Preserved existing early {{{wp_die()}}} guard
== Why {{{sanitize_key()}}} ==
Action names should only contain lowercase alphanumerics, underscores,
hyphens per WP standards.
== Testing ==
* {{{npm run lint:php}}}
* {{{npm run test:php}}} (PHPUnit warnings are core baseline)
* Manual admin AJAX testing
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64489>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list