Widget Update Error
|Reported by:||greaterweb||Owned by:||azaozz|
A client of mine appears to have surfaced a bug when saving updates to a widget. This bug was originally discovered through an update to a custom slider widget I had developed. Further testing has replicated the issue with other widgets including the basic WordPress text widget.
Turns out widget text (text input or textarea) cannot contain the words select and from, specifically in that order. An error remains present even if words are inserted between the two such as I selected WordPress as the best software from Automattic. Reversing the order of words will not trigger an error.
Place a text widget in one of your widget areas. Enter the text select from in either the title input or main textarea box. Hit save and the circular icon will pop up (as expected), though as the ajax update fails the icon remains present.
I was still able to replicate the issue even after disabling all plugins and reverting to the default WordPress theme.
It seems pretty apparent that we have a bit SQL Injection prevention kicking in. I have tested this on two separate client sites and did some ajax debugging with the aid of Firebug. What is odd is one site makes the request to wp-admin/admin-ajax.php and gets a 500 Internal Server Error. An identical test on a second site return a 404 Not Found for the wp-admin/admin-ajax.php request. Both of these sites reside on the same web server.
I couldn't find a ticket for anything similar and was unable to get anyone to confirm/replicate in with post in the forums.