#38661 closed enhancement (invalid)
There is no one way of checking the nonce on plugin uninstallation
Reported by: | szepe.viktor | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.6.1 |
Component: | Plugins | Keywords: | close |
Focuses: | Cc: |
Description
Before the shiny AJAX plugin de/activation and un/installation in the registered (register_uninstall_hook) plugin uninstall function we should have used check_admin_referer( 'bulk-plugins' );
But now check_ajax_referer( 'updates' );
works only unless the user has disabled JavaScript.
I think there is no way to use only one function for validating the nonce.
Please advise.
Change History (3)
#1
@
7 years ago
- Keywords close added
- Resolution set to worksforme
- Status changed from new to closed
#2
@
7 years ago
- Milestone Awaiting Review deleted
- Resolution changed from worksforme to invalid
Plugins should not check core nonces on the deactivation/activation/uninstallation hooks as core does this for them.
Plugins also cannot expect that they're being activated by the web ui, as they may also happen through the CLI (see wp-cli) or other management scripts which might fire off the hooks.
In short: Check any nonces which the plugin adds, but allow core to validate it's own nonces.
#3
@
7 years ago
Thank you.
Yes in wp-admin/plugins.php
in case branch 'delete-selected' there is
<?php check_admin_referer('bulk-plugins');
You must wrap
check_admin_referer()
inwp_doing_ajax()
as all AJAX plugin actions check their nonces!