Skip to content

fix(security): sanitize $_GET input before nonce construction in wp_ajax_fetch_list().#11526

Open
rajeshcpr wants to merge 2 commits intoWordPress:trunkfrom
rajeshcpr:rajeshcpr-patch-1
Open

fix(security): sanitize $_GET input before nonce construction in wp_ajax_fetch_list().#11526
rajeshcpr wants to merge 2 commits intoWordPress:trunkfrom
rajeshcpr:rajeshcpr-patch-1

Conversation

@rajeshcpr
Copy link
Copy Markdown

@rajeshcpr rajeshcpr commented Apr 9, 2026

Raw $_GET['list_args']['class'] and $_GET['list_args']['screen']['id'] were used directly to build the nonce action string and passed to _get_list_table() without any sanitization or existence checks. An attacker controlling list_args[class] could influence the nonce key being verified, undermining the referer check. Apply sanitize_key() and isset() guards to both values before use, ensuring the nonce action string and _get_list_table() arguments are constructed from clean input.

Trac ticket: https://core.trac.wordpress.org/ticket/65048

Fixes #65048

Use of AI Tools

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@rajeshcpr
fix(security): sanitize $_GET input before nonce construction in wp_a…
02f04fe 
…jax_fetch_list()

Raw $_GET['list_args']['class'] and $_GET['list_args']['screen']['id'] were used
directly to build the nonce action string and passed to _get_list_table() without
any sanitization or existence checks. An attacker controlling list_args[class]
could influence the nonce key being verified, undermining the referer check.
Apply sanitize_key() and isset() guards to both values before use, ensuring the
nonce action string and _get_list_table() arguments are constructed from clean input.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props rajeshcp.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rajeshcpr