Context Navigation

← Previous Ticket
Next Ticket →

#63329 new enhancement

Use check_ajax_referer() instead of check_admin_referer() for AJAX requests in media form handling.

Reported by:	khushipatel15	Owned by:
Milestone:	Awaiting Review	Priority:	normal
Severity:	normal	Version:	6.8
Component:	Security	Keywords:	has-patch
Focuses:	coding-standards, php-compatibility	Cc:

Description

This patch replaces the use of check_admin_referer( 'media-form' ) with check_ajax_referer( 'media-form' ) in the relevant media-handling code to better align with AJAX request security practices in WordPress.

The check_ajax_referer() function is specifically intended for verifying nonces on AJAX requests and provides a more appropriate response structure for such scenarios. It also ensures compatibility with how WordPress handles wp_die() in AJAX contexts, where it returns a -1 response instead of rendering an HTML error page.

Attachments (1)

63329.patch (1004 bytes) - added by khushipatel15 4 weeks ago.: This patch shows use of ajax reference.

Download all attachments as: .zip

Change History (2)

@khushipatel15
4 weeks ago

Attachment 63329.patch added

This patch shows use of ajax reference.

#1 @narenin
4 weeks ago

Hi @khushipatel15

Thanks for the patch.

But check_admin_referer() also ensures intent by verifying that a user was referred from another admin page with correct security nonce, so in this case we are also checking the nonce.

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core