WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#38661 closed enhancement (invalid)

There is no one way of checking the nonce on plugin uninstallation

Reported by: szepe.viktor Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6.1
Component: Plugins Keywords: close
Focuses: Cc:

Description

Before the shiny AJAX plugin de/activation and un/installation in the registered (register_uninstall_hook) plugin uninstall function we should have used check_admin_referer( 'bulk-plugins' );

But now check_ajax_referer( 'updates' ); works only unless the user has disabled JavaScript.

I think there is no way to use only one function for validating the nonce.
Please advise.

Change History (3)

#1 @szepe.viktor
3 years ago

  • Keywords close added
  • Resolution set to worksforme
  • Status changed from new to closed

You must wrap check_admin_referer() in wp_doing_ajax() as all AJAX plugin actions check their nonces!

#2 @dd32
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution changed from worksforme to invalid

Plugins should not check core nonces on the deactivation/activation/uninstallation hooks as core does this for them.

Plugins also cannot expect that they're being activated by the web ui, as they may also happen through the CLI (see wp-cli) or other management scripts which might fire off the hooks.

In short: Check any nonces which the plugin adds, but allow core to validate it's own nonces.

#3 @szepe.viktor
3 years ago

Thank you.

Yes in wp-admin/plugins.php in case branch 'delete-selected' there is

    check_admin_referer('bulk-plugins');
Last edited 3 years ago by szepe.viktor (previous) (diff)
Note: See TracTickets for help on using tickets.