WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#5664 closed defect (bug) (invalid)

wp_nonce_ays(): "Yes"-Button in nonce confirmation does not work

Reported by: salgar Owned by: westi
Priority: normal Milestone:
Component: General Version: 2.3
Severity: normal Keywords:
Cc:

Description

In function wp_nonce_ays() (in functions.php, line 1197), the form action
for the "Yes" button is set to $pagenow. It should be set to $_SERVERREQUEST_URI?.

Currently the "Yes" button in the nonce confirmation pages of my plugin leads to admin.php instead of admin.php?page=pluginname.php

This issue is also described by ozh in a mail to wp-hackers mailing list
http://comox.textdrive.com/pipermail/wp-hackers/2007-July/013579.html

Change History (2)

comment:1 westi5 years ago

  • Milestone changed from 2.3.3 to 2.6
  • Owner changed from anonymous to westi
  • Status changed from new to assigned

comment:2 westi5 years ago

  • Milestone 2.6 deleted
  • Resolution set to invalid
  • Status changed from assigned to closed

wp_nonce_ays() is dead as it allowed CSRF attacks on logged in users.

Note: See TracTickets for help on using tickets.