Context Navigation

← Previous Change
Next Change →

ajax-actions.php

Timestamp:

05/16/2023 03:23:11 PM (2 years ago)

Author:

SergeyBiryukov

Message:

Grouped backports to the 4.2 branch.

Media: Prevent CSRF setting attachment thumbnails.

Merges [55764] to the 4.2 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

File:

: 1 edited

branches/4.2/src/wp-admin/includes/ajax-actions.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

branches/4.2/src/wp-admin/includes/ajax-actions.php

-                      r45953
+                      r55775
+    }
+    if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+        wp_send_json_error();
+    }
     $post_ids = array();
     // For each URL, try to find its corresponding post ID.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 55775 for branches/4.2/src/wp-admin/includes/ajax-actions.php

Legend:

branches/4.2/src/wp-admin/includes/ajax-actions.php

Download in other formats: