WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
05/16/2023 02:26:01 PM (2 years ago)
Author:
audrasjb
Message:

Media: Prevent CSRF setting attachment thumbnails.

Props martinkrcho, paulkevan, peterwilsoncc, xknown, peterwilsoncc.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/includes/ajax-actions.php

    r55703 r55764  
    27722772    }
    27732773
     2774    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
     2775        wp_send_json_error();
     2776    }
     2777
    27742778    $post_ids = array();
    27752779    // For each URL, try to find its corresponding post ID.
Note: See TracChangeset for help on using the changeset viewer.