Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#5664 closed defect (bug) (invalid)

wp_nonce_ays(): "Yes"-Button in nonce confirmation does not work

Reported by: salgar Owned by: westi
Milestone: Priority: normal
Severity: normal Version: 2.3
Component: General Keywords:
Focuses: Cc:


In function wp_nonce_ays() (in functions.php, line 1197), the form action
for the "Yes" button is set to $pagenow. It should be set to $_SERVERREQUEST_URI?.

Currently the "Yes" button in the nonce confirmation pages of my plugin leads to admin.php instead of admin.php?page=pluginname.php

This issue is also described by ozh in a mail to wp-hackers mailing list

Change History (2)

#1 @westi
8 years ago

  • Milestone changed from 2.3.3 to 2.6
  • Owner changed from anonymous to westi
  • Status changed from new to assigned

#2 @westi
8 years ago

  • Milestone 2.6 deleted
  • Resolution set to invalid
  • Status changed from assigned to closed

wp_nonce_ays() is dead as it allowed CSRF attacks on logged in users.

Note: See TracTickets for help on using tickets.