Make WordPress Core

Opened 4 years ago

Last modified 2 years ago

#51463 new enhancement

Fire an action prior to AJAX action handling (allows diagnostics)

Reported by: davidanderson's profile DavidAnderson Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:


Currently, admin-ajax.php has no action that it will fire if there is no action hooked.

This means that you can't (without using hacks) track calls to "unhooked" actions. To be able to track those calls is useful for various diagnostic purposes. For example, logging bots which speculatively call a list of various actions belonging to vulnerable plugins. Or, detecting and logging coding errors.

The attached patch adds a "pre_wp_ajax" action call to allow plugins to monitor calls to unhooked AJAX actions.

Attachments (1)

pre-ajax-action.patch (684 bytes) - added by DavidAnderson 4 years ago.
Add "pre_wp_ajax" action call

Download all attachments as: .zip

Change History (5)

4 years ago

Add "pre_wp_ajax" action call

#1 @johnbillion
4 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to Future Release

This is a good idea. It could instead fire a little further down and receive a parameter with the result of the has_action check? Maybe one for the wp_ajax_ action and one for the wp_ajax_nopriv action before they call wp_die().

#2 @DavidAnderson
4 years ago

I tend to think that the parameters passed to an action shouldn't include ones it can directly derive from what it has already got. So, here, the called function can already call is_user_logged_in() and has_action() itself.

I didn't clarify in the original post that the placement of the action was chosen so that it can also be used for diagnostics when the action *is* hooked.

Last edited 4 years ago by DavidAnderson (previous) (diff)

#3 @DavidAnderson
3 years ago

@johnbillion Any chance this can go in before WP 5.6? I'm eager to ban the bad guys without needing to code ugly hacks.

#4 @DavidAnderson
2 years ago

@johnbillion Is there any bandwidth available to look at this?

Note: See TracTickets for help on using tickets.