id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 41617,wp_verify_nonce() check fails on several websites because of filter possibility in wp_nonce_tick(),ReneHermi,,"wp_nonce_tick() is an essential part of the hash which is used as the nonce for creating and checking if a request is authenticated. Unfortunately wp_nonce_tick() is filterable by third party developers! So it happens occasionally that other plugins hook in there and are changing the nonce life time. Usually not a big deal if these filters would always be running globally and with highest priority BUT as every plugin developer is baking their own cake and ever plugin is loaded with another priority, these filters get overwritten inconsistently over time and over load order, depending on in which hook the nonce is created and where it is checked. I experienced this issue on two different customer websites this week. Example to reproduce it: - Create a nonce with wp_create_nonce() in hook admin_enqueue_scripts(). Use a plugin to do this - Populate the nonce there with wp_localize_script(). just as you would like to access it with js. - Create a filter and overwrite the life span in wp_nonce_tick() - Put this filter into ANOTHER plugin: {{{ function overwrite($seconds){ return 10600; } add_filter('nonce_life', 'overwrite', 1); }}} Now check the wp_nonce_tick() in the first plugin from another hook like admin_init and you will notice that the results differ. This is not unusual and unexpected in the way these filters are working but as wp_nonce_tick() is part of the nonce hash, the whole nonce will differ as well and as a result the wp_nonce_check fails completely than. In my opinion, this filter should be removed entirely to ensure that the nonce is always consistent and can not be changed by third parties. There should be no way to change the value of a hash by filters. This is not such a rare possible issue if you look how many plugins are changing the value of the nonce_life value https://github.com/search?utf8=%E2%9C%93&q=nonce_life&type=Code To make my plugin working for all users i also need to play the same game and need to use a filter to change the nonce_life value to ensure it is everytime the same in my plugin instance. The alternative would be to remove the nonce check at all. Not really something i like to do. ",defect (bug),closed,normal,,Security,4.8.1,critical,wontfix,dev-feedback 2nd-opinion close,,